Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

count if two nonconsecutive string occurs in a statement

ataunk
Explorer
‎04-14-2020 10:04 AM

I want to write a query to take the count if two non-consecutive string occurs in a statement. I am trying to do something like this, but this is not able to take logical AND operator in the match method :

Note : I want to use the query using eval only as in my larger query I have to perform some mathematical operation using more (different) eval variables.

| eval concatsearch=if(match(_raw,"String1 && String2"),1,0) |
eval ccount=if(match(_raw,"cc"),1,0) |
timechart span=1h
sum(concatsearch) as concatsearch,
sum(ccount) as ccount

Tags (1)
0 Karma
Reply

DalJeanis
Legend
‎04-14-2020 10:13 AM

There are many ways to do that, but this one should work:

  | eval concatsearch=if(match(_raw,"String1"),1,0)*if(match(_raw,"String2"),1,0)

If either string is not matched, a zero value will result, if both match, a 1 value will result.

Reply

ataunk
Explorer
‎04-14-2020 10:17 AM

Thanks so much. It works. Love Splunk comunity.

0 Karma
Reply

DalJeanis
Legend
‎04-15-2020 08:25 AM

Yeah, me too. Okay, if that solved your problem, then please "accept" the answer, so it will show as solved.

0 Karma
Reply

ataunk
Explorer
‎04-15-2020 09:21 AM

I just tried to re-run the query and doesn;t look like it is giving the data.. I fi run this query it does give me data

("String1" AND "String2") | timechart count span=1h |sort -_time

Can you please review your query above once

0 Karma
Reply

ataunk
Explorer
‎04-15-2020 09:44 AM

Also, the entire query I am running is :

| eval concatsearch=if(match(_raw,"String1"),1,0)*if(match(_raw,"String2"),1,0)
| timechart sum(concatsearch) span=1h

And I get 0 results, but those string are actually there. Am I doing something worng while using the sum and timechat ?

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...