distinct count of specific words with replacing th... - Splunk Community

Splunk Search

Hi,

I have logs coming with server names listed into it and my requirement is to the distinct count of server by assigning region to them.

for example.

entries are like

{"server":"abc.uk" "details": xxxx"}

{"server":"abc.uk" "details": yyyy"}

{"server":"xyz.uk" "details": xxxx"}

{"server":"abc.us" "details": xxxx"}

{"server":"xyz.us" "details": xxxx"}

{"server":"xyz.us" "details": yyyy"}

{"server":"abc.hk" "details": xxxx"}

so now from the above list we have 2 unique servers from UK, 2 unique servers from US and 1 from HK, so i need them to be show as per below.

North America : 2

Europe : 2

Asia : 1

i have tried search as <count(eval(searchmatch("*.us*")))> AS North America but this will not give me the count of unique server

will try this.. thanks

Hi @amitkore3483,

please try something like this:

<your_search>
| rex field=ppp "server\":\"\w+\.(?<nation>[^\"]+)\"\s\"details\":\s(?<details>[^\"]+)"
| stats count By nation details

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...