Splunk Search

problem with REX

Contributor

I am giving the following search :

index="maa" | table Name Age Location | rex field="Location" (?(?i)"delhi") | eval ONE=lower(ONE) |stats count(ONE) by ONE

and it is giving me :

delhi 5 ( because delhi is coming five times )

but when I am running with multiple keywords :

index="maa" | table Name Age Location | rex field="Location" (?(?i)"delhi|kol") | eval ONE=lower(ONE) |stats count(ONE) by ONE

it is giving me some diffent count for delhi

delhi 4
kol 2

I am not getting the correct count when i am using it for more than one keyword. please help otherwise I have to write "rex" 20 times for 20 keywords

Please help

Thanks in advance

Tags (3)
0 Karma

SplunkTrust
SplunkTrust

hi abhayneilam

take your _raw data, paste them into http://gskinner.com/RegExr/ and test your regex until it matches. gskinner's RegExr is just perfect to test regex for splunk.

cheers,

MuS

0 Karma

SplunkTrust
SplunkTrust

the problem is, that in the data multiple city occur at the same line. you want to match only ONE city per line, either delhi, kol or mumbai.
I cannot create any regex matching this pattern on gskinner....sorry but on the other hand I'm no regex expert after all 🙂

0 Karma

SplunkTrust
SplunkTrust

with your regex this will not work, neither with mine. for example the first line matches both kol and delhi. Then you have delHi, that does not match delhi - it would match delHi. this will be very tricky to match your expatiation, data and regex.

give me some time.....

0 Karma

Contributor

One pattern per line, kol is 3 times and delhi is 5 times..

Now please help

0 Karma

Contributor

One per line, so it counts 5 :). please help me to solve this one

0 Karma

SplunkTrust
SplunkTrust

no honestly as I've written use gskinner RegExr it helps a lot. Probably you have some miss understanding of your raw data and the regex because kol is 4 times in the raw data and not only 3 times.

0 Karma

SplunkTrust
SplunkTrust

delhi is matching 6 times 😉

0 Karma

Contributor

abhay|26|koldelhigmumbaiis_delhiood_di
murari|30|ranigang
abc|32|mumbai is delhi place
murari|30|ranigang_kolbabbu is kol
murari|30|delHI is not in kolkata
mno|100|delhi
murari|30|ranig
xyz|100|delhi

this is my raw data.. delhi is coming 5 times but in the search it is coming 4 times , and kol is coming 3 times but in the search it is coming 2 times ..

Now , I thing you can provide some solutions on that

0 Karma

SplunkTrust
SplunkTrust

exactly, that's why you have to use your raw data and test your regex. I cannot do magic and provide any solution without the raw data.

0 Karma

Contributor

But my question was something different, I am asking for the correct count as shown above..please help me out with this problem...

Please help me ..

Thanks in Advance !!

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes and swag!