Solved: Re: Search in single table with multiple stats

mawani · ‎11-15-2021

Hello,

I am having logs in splunk in below manner.

timestamp "LOGGER= PAGE NAME1 Other text"
timestamp "LOGGER= PAGE NAME1 Other text"
timestamp "LOGGER= PAGE NAME2 Other text"
timestamp "LOGGER= PAGE NAME2 Other text"
timestamp "LOGGER= PAGE NAME3 Other text"
timestamp "LOGGER= PAGE NAME3 Other text"
timestamp "LOGGER= PAGE NAME1 Other text"

I formatted search query
index=index-name ns="namespace" | rex field=_raw "LOGGER=\s*(?<PAGE_NAME1>PAGE NAME1*)" | stats count by PAGE_NAME1
| append [search
index=index-name ns="namespace" | rex field=_raw "LOGGER=\s*(?<PAGE_NAME2>PAGE NAME2*)" | stats count by PAGE_NAME2 ]
| append [search
index=index-name ns="namespace" | rex field=_raw "LOGGER=\s*(?<PAGE_NAME3>PAGE NAME3*)" | stats count by PAGE_NAME3 ]

Got result like

PAGE_NAME1	Count	PAGE_NAME2	PAGE_NAME3
PAGE NAME1	3
	2	PAGE NAME2
	2		PAGE NAME3

I am looking result should look below

Page Name	Pages Visited
PAGE_NAME1	3
PAGE_NAME3	2
PAGE_NAME3	2

Any idea how to format search query ?

somesoni2 · ‎11-15-2021

Try like this

index=index-name ns="namespace" | rex field=_raw "LOGGER=\s*(?<PAGE_NAME>(PAGE NAME1|PAGE NAME2|PAGE NAME3)*)" | stats count by PAGE_NAME1

View solution in original post

somesoni2 · ‎11-15-2021

Try like this

index=index-name ns="namespace" | rex field=_raw "LOGGER=\s*(?<PAGE_NAME>(PAGE NAME1|PAGE NAME2|PAGE NAME3)*)" | stats count by PAGE_NAME1

mawani · ‎11-15-2021

Thank You for very quick response and it is working

Search in single table with multiple stats

stats

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor