Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

fomation in pattern matching- please help urgently

abhayneilam
Contributor
‎10-27-2012 10:00 AM

I have 2 keywords and I am running query :

index="maa" | table Name Age Location | rex field="Location" (?(?i)"kol") | eval ONE=lower(ONE) |stats count(ONE) by ONE | append [ search index="maa" | table Name Age Location | rex field="Location" (?(?i)"delhi") | eval ONE=lower(ONE) |stats count(ONE) by ONE ]

Out of two keywords ( kol,delhi), Location field is matching only "kol" keyword and I am getting my output as :

kol 10
but I want to get my output as

kol 10
delhi 0

because if there is no match then it should print 0 along with the keyword as above

Please help me to get the output, if pattern doesnot match, it should print 0 along with the pattern ( 0 will represent that there is not such pattern )

Please help !! this is really urgent

Tags (1)
0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎10-29-2012 11:40 AM

ok,if the second sub search doesn't return any result, then there will be nothing to append and splunk will not display it.

The workaround for this is to write a list of your expected lines, and store them in a csv file or a lookup
example file city_list.csv with a column header. 



city, country

delhi, india

kol, india

moscow,russia

you can upload the file with the manager, or generate the file with the result of a search (see outputloookup)

Then during your search use a OUTER JOIN on the city name to match the list to your results, and at the very end, replace the missing values per "zero"

mysupersearch
| table city count
| JOIN type=outer city [ search inpulookup city_list.csv | table city ]
| table city count
| fillnull count value="0"

for details :

lookups
http://docs.splunk.com/Documentation/Splunk/4.3.4/SearchReference/Inputlookup
http://docs.splunk.com/Documentation/Splunk/4.3.4/SearchReference/Outputlookup
http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Aboutlookupsandfieldactions

join http://docs.splunk.com/Documentation/Splunk/4.3.4/SearchReference/Join

Reply

yannK
Splunk Employee
Splunk Employee
‎10-29-2012 10:05 AM

Without any sample we cannot test your search.

If your events contains a single value in the field Location, you probably don't need 2 searches, a single one can do the trick.
Also I don't know if your regex is supposed to match "kol" or kol.
Also, the rex command expect | rex field=namofthefield "regexexpression"

example :

index="maa"  kol OR delhi 
| table Name Age Location 
| rex field=Location "(?(?i)kol|delhi)"
| eval one=lower(one) 
|stats count(one) by one
0 Karma
Reply

abhayneilam
Contributor
‎10-29-2012 11:23 AM

my rex is absoutely working fine separately for each keyword,when I am giving it ( kol | delhi ) it is not mathing everything, More over this is not my question , My question is very well defined in my first post but I am still un-answered, I am seeking for the value 0 if my keyword is not matching with the field ( that is my question that how to get 0 count )

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎10-28-2012 07:31 AM

Fields names are case sensitive. Please be consistent in your usage. ( don't use one then ONE)

0 Karma
Reply

abhayneilam
Contributor
‎10-29-2012 02:43 AM

index="maa" | table Name Age Location | rex field="Location" (?(?i)"kol") | eval one=lower(one) |stats count(one) by one | append [ search index="maa" | table Name Age Location | rex field="Location" (?(?i)"delhi") | eval one=lower(one) |stats count(one) by one ]

Now, Please help me to get the solution

0 Karma
Reply

Ayn
Legend
‎10-28-2012 10:37 PM

You still mix one and ONE. Proceed by fixing that.

0 Karma
Reply

abhayneilam
Contributor
‎10-28-2012 10:04 PM

By mistaken I have used "one" instead of "ONE"

index="maa" | table Name Age Location | rex field="Location" (?(?i)"kol") | eval ONE=lower(ONE) |stats count(ONE) by ONE | append [ search index="maa" | table Name Age Location | rex field="Location" (?(?i)"delhi") | eval ONE=lower(ONE) |stats count(ONE) by ONE ]

Above is my query now let me know how do i proceed

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎10-27-2012 11:20 AM

http://splunk-base.splunk.com/answers/62196/any-way-to-return-zero-result-count-stats-of-a-field-suc... may help

0 Karma
Reply

abhayneilam
Contributor
‎10-27-2012 12:03 PM

Thanks gkanapathy for this link :

But I am getting a bit confused with the ans given to this link :

Could you please ( its heartly request ) help me to my query :

index="maa" | table Name Age Location | rex field="Location" (?(?i)"kol") | eval ONE=lower(ONE) |stats count(ONE) by ONE | append [ search index="maa" | table Name Age Location | rex field="Location" (?(?i)"delhi") | eval ONE=lower(ONE) |stats count(ONE) by ONE ]

please help me if any of the keyword is not matching the field "Location" then it should display the keyword along with 0..

Thanks in Advance !! Please

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...