distinct count of specific words with replacing th... - Splunk Community

Splunk Search

Hi,

I have logs coming with server names listed into it and my requirement is to the distinct count of server by assigning region to them.

for example.

entries are like

{"server":"abc.uk" "details": xxxx"}

{"server":"abc.uk" "details": yyyy"}

{"server":"xyz.uk" "details": xxxx"}

{"server":"abc.us" "details": xxxx"}

{"server":"xyz.us" "details": xxxx"}

{"server":"xyz.us" "details": yyyy"}

{"server":"abc.hk" "details": xxxx"}

so now from the above list we have 2 unique servers from UK, 2 unique servers from US and 1 from HK, so i need them to be show as per below.

North America : 2

Europe : 2

Asia : 1

i have tried search as <count(eval(searchmatch("*.us*")))> AS North America but this will not give me the count of unique server

will try this.. thanks

Hi @amitkore3483,

please try something like this:

<your_search>
| rex field=ppp "server\":\"\w+\.(?<nation>[^\"]+)\"\s\"details\":\s(?<details>[^\"]+)"
| stats count By nation details

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...