Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

where in stats command

Janani_Krish
Path Finder
‎10-15-2020 10:49 PM

Hello everyone,

I have my fields like below,

indicatortags
indicator 1tag 1,class:234
indicator 2tagg,class:456

I have to group my fields based on tags starting with class, and my query is like below,

sourcetype="my-data" |stats count by tags|where tags="class*"

But I am getting 0 results, as where class is taking only exact values and not "class*"

I want my result as below,

class:234 1

class:456 1

Kindly suggest.

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-16-2020 12:18 AM

The problem with made up data is it can be difficult to give a useful answer.

  • Is tags a single field?
  • Is class always followed by a colon and 3 numbers?
  • Is class always at the end if the tags string?

However, given the example, try

sourcetype="my-data" 
| rex field=tags "(?<class>class:\d+)"
| stats count by class

View solution in original post

Reply
Solved! Jump to solution

renjith_nair
Legend
‎10-16-2020 12:25 AM

Try

|where tags like "%class%"
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

Janani_Krish
Path Finder
‎10-16-2020 01:41 AM

Thanks @renjith_nair  this works. But If I am using this with timechart it is not working.

sourcetype="my-data" |timechart span=4h count by tags|where tags like "%class%"

Can you suggest.

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-16-2020 12:18 AM

The problem with made up data is it can be difficult to give a useful answer.

  • Is tags a single field?
  • Is class always followed by a colon and 3 numbers?
  • Is class always at the end if the tags string?

However, given the example, try

sourcetype="my-data" 
| rex field=tags "(?<class>class:\d+)"
| stats count by class
Reply
Solved! Jump to solution

Janani_Krish
Path Finder
‎10-16-2020 01:52 AM

Hi @ITWhisperer ,

Thanks for the reply,

1.No tags contain multiple fields or single field depending upon the log.

2.No class doesnt have any pattern.

3.No class can be anywhere in tags.

Rex command works well with timechart and stats command as well.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-16-2020 12:13 AM

Hi @Janani_Krish,

if the structure of your tags is always "xxx,value" you could use a regex to extract the value after comma, something like this:

 

sourcetype="my-data" 
| stats count by tags
| rex field=tags "^[^,]*,(?<tags>.*)"
| search tags="class*"

 

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

Janani_Krish
Path Finder
‎10-16-2020 01:43 AM

Hi @gcusello ,

Thank you for the suggestion. But my structure varies,,it is not always followed by comma.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-16-2020 01:52 AM

Hi @Janani_Krish,

You should try (if possible) to identify all the rules of your tags field and write all the possible regexes to extract the tags you want.

There'a also anothe choice, if the list of tags isn't lo long and it's manageable, you could put the tags in a lookup and use this lookup to match the events with a tag.

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...