Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Need a query to find count of substring within string

caschmid
New Member
‎06-10-2025 10:03 AM

I need a query that will tell me the count of a substring within a string like this ...

"This is my [string]" and I need find the word and count of [string]. "This is my" is always the same but [string] is dynamic and can be many things, such as apple, banana etc. I need tabular data returned to look like 

Word           Count

apple          3

I tried this but doesnt seem to working 

rex field=_raw ".*This is my (?<string>\d+).*" | stats count by string 

 

Labels (1)
Labels
0 Karma
Reply

PrewinThomas
Builder
‎06-10-2025 08:50 PM

@caschmid 

\d+ matches only digits, not any word.

If "This is my" is always constant, you can try below
rex field=_raw "This is my (?<string>\w+)" | stats count by string


Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks!

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎06-10-2025 03:36 PM

Two problems with your regex.

  1. \d represents a digit 0-9.  Unless your "string" only includes digits, \d+ will not match.
  2. As @livehybrid notes, your original string includes a pair of square brackets.

A usable code to extract "apple" from "This is my [apple]" would be

| rex "This is my \[(?<string>[^\]]+)\]"
| stats count by string

Note:

  • _raw is the default field for rex command.
  • .* at beginning and end of a regex serves no purpose except adding cost.
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎06-10-2025 03:35 PM

In addition to the other comments, you don't need the .* at the start and end of the regex

0 Karma
Reply

livehybrid
Super Champion
‎06-10-2025 01:17 PM

Hi @caschmid 

Would something like this work for you? This assumes you know the string you want count, is that right?

livehybrid_0-1749586546263.png

 

| rex max_match=100 field=_raw "(?<extract>\[string\])"
| stats count by extract

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎06-10-2025 11:16 AM

Use https://regex101.com to verify your regexes.

In this case it won't work for "string" not being a number because \d+ means a sequence of digits. Depending on how precise you want to be with this match, you might want \S+ or some other variation.

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...
Top