Solved: count the field using occurrences of string in the...

goalkeeper · ‎10-19-2020

I am very new to Splunk.

I have an access.log file, which contains the Url and querystring:

url queryString

http://host/getOrder id=1&id=2&id=3

http://host/getUser id=1&id=2

http://host/getUser id=2&id=3

How could I count the url using the occurrence of "id" in the queryString?

So the result I want would be

Url IdCount

http://host/getOrder 3

http://host/getUser 4

Thanks in advance

bowesmana · ‎10-19-2020

@goalkeeper

See this demo example using your data

| makeresults
| eval _raw="url,queryString
http://host/getOrder,id=1&id=2&id=3
http://host/getUser,id=1&id=2
http://host/getUser,id=2&id=3"
| multikv forceheader=1
| table url queryString
| rex field=queryString max_match=0 "id=(?<id>\d+)"
| eval ids=mvcount(id)
| stats sum(ids) as ids by url

What you want is from the rex statement down. This will

Extract the ids into a new field called id based on the regex
Count the number of ids found
Calculate the sum of ids by url

Hope this helps

View solution in original post

bowesmana · ‎10-19-2020

@goalkeeper

See this demo example using your data

| makeresults
| eval _raw="url,queryString
http://host/getOrder,id=1&id=2&id=3
http://host/getUser,id=1&id=2
http://host/getUser,id=2&id=3"
| multikv forceheader=1
| table url queryString
| rex field=queryString max_match=0 "id=(?<id>\d+)"
| eval ids=mvcount(id)
| stats sum(ids) as ids by url

What you want is from the rex statement down. This will

Extract the ids into a new field called id based on the regex
Count the number of ids found
Calculate the sum of ids by url

Hope this helps

goalkeeper · ‎10-20-2020

It works. Thanks again.

count the field using occurrences of string in the field value

count

fields

other

regex

stats

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor