Solved: Re: Search in single table with multiple stats

mawani · ‎11-15-2021

Hello,

I am having logs in splunk in below manner.

timestamp "LOGGER= PAGE NAME1 Other text"
timestamp "LOGGER= PAGE NAME1 Other text"
timestamp "LOGGER= PAGE NAME2 Other text"
timestamp "LOGGER= PAGE NAME2 Other text"
timestamp "LOGGER= PAGE NAME3 Other text"
timestamp "LOGGER= PAGE NAME3 Other text"
timestamp "LOGGER= PAGE NAME1 Other text"

I formatted search query
index=index-name ns="namespace" | rex field=_raw "LOGGER=\s*(?<PAGE_NAME1>PAGE NAME1*)" | stats count by PAGE_NAME1
| append [search
index=index-name ns="namespace" | rex field=_raw "LOGGER=\s*(?<PAGE_NAME2>PAGE NAME2*)" | stats count by PAGE_NAME2 ]
| append [search
index=index-name ns="namespace" | rex field=_raw "LOGGER=\s*(?<PAGE_NAME3>PAGE NAME3*)" | stats count by PAGE_NAME3 ]

Got result like

PAGE_NAME1	Count	PAGE_NAME2	PAGE_NAME3
PAGE NAME1	3
	2	PAGE NAME2
	2		PAGE NAME3

I am looking result should look below

Page Name	Pages Visited
PAGE_NAME1	3
PAGE_NAME3	2
PAGE_NAME3	2

Any idea how to format search query ?

somesoni2 · ‎11-15-2021

Try like this

index=index-name ns="namespace" | rex field=_raw "LOGGER=\s*(?<PAGE_NAME>(PAGE NAME1|PAGE NAME2|PAGE NAME3)*)" | stats count by PAGE_NAME1

View solution in original post

somesoni2 · ‎11-15-2021

Try like this

index=index-name ns="namespace" | rex field=_raw "LOGGER=\s*(?<PAGE_NAME>(PAGE NAME1|PAGE NAME2|PAGE NAME3)*)" | stats count by PAGE_NAME1

mawani · ‎11-15-2021

Thank You for very quick response and it is working

Search in single table with multiple stats

stats

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation