Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Obtain a count of hits in a query of regexes

kimberlytrayson
Path Finder
‎03-27-2020 02:39 AM

I am searching for a list of regexes in a splunk alert like this:

... | regex "regex1|regex2|...regexn"

Can I modify this query to get a table of the regexes found along with their count. The table shouldn't show rows with 0 counts.

regex2 17
regexn 3
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎03-27-2020 03:41 AM 
 ... | regex "regex1|regex2|...regexn"
| rex  max_match=0 "(?<countfields>regex1|regex2|...regexn)"
| stats count by countfields

View solution in original post

Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎03-27-2020 03:41 AM 
 ... | regex "regex1|regex2|...regexn"
| rex  max_match=0 "(?<countfields>regex1|regex2|...regexn)"
| stats count by countfields
Reply
Solved! Jump to solution

kimberlytrayson
Path Finder
‎03-27-2020 07:48 AM

Great answer @to4kawa.

Looks like | regex line is not needed. This is working for me. Notice the extra brackets.

| rex max_match=0 "(?P<countfields>((regex1)|(regex2)|..|(regexn)))"
| stats count by countfields
0 Karma
Reply
Get Updates on the Splunk Community!

The All New Performance Insights for Splunk

Splunk gives you amazing tools to analyze system data and make business-critical decisions, react to issues, ...

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...