Splunk Search

problem with REX

abhayneilam
Contributor

I am giving the following search :

index="maa" | table Name Age Location | rex field="Location" (?(?i)"delhi") | eval ONE=lower(ONE) |stats count(ONE) by ONE

and it is giving me :

delhi 5 ( because delhi is coming five times )

but when I am running with multiple keywords :

index="maa" | table Name Age Location | rex field="Location" (?(?i)"delhi|kol") | eval ONE=lower(ONE) |stats count(ONE) by ONE

it is giving me some diffent count for delhi

delhi 4
kol 2

I am not getting the correct count when i am using it for more than one keyword. please help otherwise I have to write "rex" 20 times for 20 keywords

Please help

Thanks in advance

Tags (3)
0 Karma

MuS
Legend

hi abhayneilam

take your _raw data, paste them into http://gskinner.com/RegExr/ and test your regex until it matches. gskinner's RegExr is just perfect to test regex for splunk.

cheers,

MuS

0 Karma

MuS
Legend

the problem is, that in the data multiple city occur at the same line. you want to match only ONE city per line, either delhi, kol or mumbai.
I cannot create any regex matching this pattern on gskinner....sorry but on the other hand I'm no regex expert after all 🙂

0 Karma

MuS
Legend

with your regex this will not work, neither with mine. for example the first line matches both kol and delhi. Then you have delHi, that does not match delhi - it would match delHi. this will be very tricky to match your expatiation, data and regex.

give me some time.....

0 Karma

abhayneilam
Contributor

One pattern per line, kol is 3 times and delhi is 5 times..

Now please help

0 Karma

abhayneilam
Contributor

One per line, so it counts 5 :). please help me to solve this one

0 Karma

MuS
Legend

no honestly as I've written use gskinner RegExr it helps a lot. Probably you have some miss understanding of your raw data and the regex because kol is 4 times in the raw data and not only 3 times.

0 Karma

MuS
Legend

delhi is matching 6 times 😉

0 Karma

abhayneilam
Contributor

abhay|26|koldelhigmumbaiis_delhiood_di
murari|30|ranigang
abc|32|mumbai is delhi place
murari|30|ranigang_kolbabbu is kol
murari|30|delHI is not in kolkata
mno|100|delhi
murari|30|ranig
xyz|100|delhi

this is my raw data.. delhi is coming 5 times but in the search it is coming 4 times , and kol is coming 3 times but in the search it is coming 2 times ..

Now , I thing you can provide some solutions on that

0 Karma

MuS
Legend

exactly, that's why you have to use your raw data and test your regex. I cannot do magic and provide any solution without the raw data.

0 Karma

abhayneilam
Contributor

But my question was something different, I am asking for the correct count as shown above..please help me out with this problem...

Please help me ..

Thanks in Advance !!

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...