Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

count number of arguments in bat file

thaitran2021
New Member
‎07-27-2021 01:44 PM

I'm trying to count of the number of occurrences / frequency /variations of arguments appearing for a bat file. For example, GradeReport.bat has this template:

GradeReport.bat "grade criteria" "start date" "end date" course# CSV_format

Example:

1) GradeReport.bat "Best grade" "07/20/2021" "07/27/2021" 135629 CSV

2) GradeReport.bat "Average grade" "" "07/27/2021" "" CSV

3) GradeReport.bat "Best grade" "" "" 225386 CSV

4) GradeReport.bat "Student grade" "07/16/2021" "" "" CSV

 

The query would return:

First argument count: 4

Second argument count: 2

Third argument count: 2

"Best grade" = 2

"Average grade" = 1

"Student grade" = 1

etc.

Thanks for the help.

Labels (4)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-27-2021 03:03 PM

The part before the blank lines just sets up some example data as you showed - the part after the blank lines extracts the fields and counts the occurrences.

| makeresults 
| eval _raw="GradeReport.bat \"Best grade\" \"07/20/2021\" \"07/27/2021\" 135629 CSV
GradeReport.bat \"Average grade\" \"\" \"07/27/2021\" \"\" CSV
GradeReport.bat \"Best grade\" \"\" \"\" 225386 CSV
GradeReport.bat \"Student grade\" \"07/16/2021\" \"\" \"\" CSV"
| multikv noheader=t
| fields _raw
| fields - _time




| rex "(?<batfile>\S+)\s+\"(?<grade>[^\"]+)\"\s+\"(?<start>[^\"]*)\"\s+\"(?<end>[^\"]*)\"\s\"?(?<number>\d*)\"?\s+(?<format>.*)"
| foreach *
    [| eval <<FIELD>>=if(<<FIELD>>="",null(),<<FIELD>>)]
| stats count(grade) as first_count count(start) as second_count count(end) as third_count count(number) as fourth_count count as grade_count by grade
| eval {grade}=grade_count
| fields - grade grade_count
| stats sum(*) as *
Reply

TheDeFoor
Explorer
‎07-27-2021 02:25 PM

Hello!

So I don't know of a way to get all of those in one search. It is very doable in a couple searches though!

You should be able to do 

index=main
| stats count by "Grade Criteria"

and get the count per result in each field.

 

 As for your ask for an argument count, that's pretty tricky actually! There may be more elegant ways of doing that, but I settled on the following (I've named the fields generically)

index=main
| fillnull value=NULL
| eval arg1Null = if(arg1 == "NULL", 0, 1)
| eval arg2Null = if(arg2 == "NULL", 0, 1)
| eval arg3Null = if(arg3 == "NULL", 0, 1)
| eval arg4Null = if(arg4 == "NULL", 0, 1)
| eval numArgs = (arg1Null + arg2Null + arg3Null + arg4Null)
| table arg1 arg2 arg3 arg4 numArgs

That is going to take all of your null values, or fields without a value in them, and fill them with the string "NULL". We then create fields checking whether or not the original field was NULL. i.e. if arg1 has a value, it arg1Null gets a value of 1. If it was filled with "NULL", it gets a 0.

We do this for each field, then create a field called numArgs which adds all of them up.

 

I am not sure if that is the most elegant way of doing things, but I was able to get that working! args.png

 

Its easy enough to rename the fields from arg1 to "Best Grade" and so on to work with your data.

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Top