Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

count if two nonconsecutive string occurs in a statement

ataunk
Explorer
‎04-14-2020 10:04 AM

I want to write a query to take the count if two non-consecutive string occurs in a statement. I am trying to do something like this, but this is not able to take logical AND operator in the match method :

Note : I want to use the query using eval only as in my larger query I have to perform some mathematical operation using more (different) eval variables.

| eval concatsearch=if(match(_raw,"String1 && String2"),1,0) |
eval ccount=if(match(_raw,"cc"),1,0) |
timechart span=1h
sum(concatsearch) as concatsearch,
sum(ccount) as ccount

Tags (1)
0 Karma
Reply

DalJeanis
Legend
‎04-14-2020 10:13 AM

There are many ways to do that, but this one should work:

  | eval concatsearch=if(match(_raw,"String1"),1,0)*if(match(_raw,"String2"),1,0)

If either string is not matched, a zero value will result, if both match, a 1 value will result.

Reply

ataunk
Explorer
‎04-14-2020 10:17 AM

Thanks so much. It works. Love Splunk comunity.

0 Karma
Reply

DalJeanis
Legend
‎04-15-2020 08:25 AM

Yeah, me too. Okay, if that solved your problem, then please "accept" the answer, so it will show as solved.

0 Karma
Reply

ataunk
Explorer
‎04-15-2020 09:21 AM

I just tried to re-run the query and doesn;t look like it is giving the data.. I fi run this query it does give me data

("String1" AND "String2") | timechart count span=1h |sort -_time

Can you please review your query above once

0 Karma
Reply

ataunk
Explorer
‎04-15-2020 09:44 AM

Also, the entire query I am running is :

| eval concatsearch=if(match(_raw,"String1"),1,0)*if(match(_raw,"String2"),1,0)
| timechart sum(concatsearch) span=1h

And I get 0 results, but those string are actually there. Am I doing something worng while using the sum and timechat ?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...