Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

where in stats command

Janani_Krish
Path Finder
‎10-15-2020 10:49 PM

Hello everyone,

I have my fields like below,

indicatortags
indicator 1tag 1,class:234
indicator 2tagg,class:456

I have to group my fields based on tags starting with class, and my query is like below,

sourcetype="my-data" |stats count by tags|where tags="class*"

But I am getting 0 results, as where class is taking only exact values and not "class*"

I want my result as below,

class:234 1

class:456 1

Kindly suggest.

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-16-2020 12:18 AM

The problem with made up data is it can be difficult to give a useful answer.

  • Is tags a single field?
  • Is class always followed by a colon and 3 numbers?
  • Is class always at the end if the tags string?

However, given the example, try

sourcetype="my-data" 
| rex field=tags "(?<class>class:\d+)"
| stats count by class

View solution in original post

Reply
Solved! Jump to solution

renjith_nair
Legend
‎10-16-2020 12:25 AM

Try

|where tags like "%class%"
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

Janani_Krish
Path Finder
‎10-16-2020 01:41 AM

Thanks @renjith_nair  this works. But If I am using this with timechart it is not working.

sourcetype="my-data" |timechart span=4h count by tags|where tags like "%class%"

Can you suggest.

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-16-2020 12:18 AM

The problem with made up data is it can be difficult to give a useful answer.

  • Is tags a single field?
  • Is class always followed by a colon and 3 numbers?
  • Is class always at the end if the tags string?

However, given the example, try

sourcetype="my-data" 
| rex field=tags "(?<class>class:\d+)"
| stats count by class
Reply
Solved! Jump to solution

Janani_Krish
Path Finder
‎10-16-2020 01:52 AM

Hi @ITWhisperer ,

Thanks for the reply,

1.No tags contain multiple fields or single field depending upon the log.

2.No class doesnt have any pattern.

3.No class can be anywhere in tags.

Rex command works well with timechart and stats command as well.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-16-2020 12:13 AM

Hi @Janani_Krish,

if the structure of your tags is always "xxx,value" you could use a regex to extract the value after comma, something like this:

 

sourcetype="my-data" 
| stats count by tags
| rex field=tags "^[^,]*,(?<tags>.*)"
| search tags="class*"

 

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

Janani_Krish
Path Finder
‎10-16-2020 01:43 AM

Hi @gcusello ,

Thank you for the suggestion. But my structure varies,,it is not always followed by comma.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-16-2020 01:52 AM

Hi @Janani_Krish,

You should try (if possible) to identify all the rules of your tags field and write all the possible regexes to extract the tags you want.

There'a also anothe choice, if the list of tags isn't lo long and it's manageable, you could put the tags in a lookup and use this lookup to match the events with a tag.

Ciao.

Giuseppe

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...