Re: extract field value

iamniks · ‎11-17-2011

Hi, we have csv file in below format.

PROJECT_NAME USER_NAME STATUS

WEB_xxxx David PASSED
WEB_xxxx Rapkin FAILED
WEB_xxxx Rapkin PASSED
WEB_xxxx Diana PASSED
DC_xxxx John FAILED
PROMOTE_xxxx Paul PASSED
AST_xxxx John PASSED

Would like to generate report as below. Basically we would like to group projects based on their prefix and have a count for each group.

PROJECT: COUNT PASSED FAILED
WEB 4 3 1
DC 1 0 1
PROMOTE 1 1 0
AST 1 1 0

woodcock · ‎05-29-2015

Try this:

... | rex "^(?<PROJECT>[^_]*)_[\S]*\s+(?<USER>[\S]*)\s+(?<STATUS>[\S]*) | stats count AS COUNT count(eval(STATUS="PASSED)) AS PASSED BY PROJECT | eval FAILED = COUNT - PASSED

Ayn · ‎11-17-2011

How is this different from this question? http://splunk-base.splunk.com/answers/34471/field-value-count

extract field value

PROJECT_NAME USER_NAME STATUS

The OpenTelemetry Certified Associate (OTCA) Exam

From Manual to Agentic: Level Up Your SOC at Cisco Live

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 4)

Join the Conversation

extract field value

PROJECT_NAME USER_NAME STATUS

The OpenTelemetry Certified Associate (OTCA) Exam

From Manual to Agentic: Level Up Your SOC at Cisco Live

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 4)