×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
mebra1
Loves-to-Learn
Member since: ‎07-04-2022
‎07-08-2022
Community Statistics
Posts 5
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎07-04-2022
Activity Feed
View All

Re: Stats count comma delimited field

by in Splunk Search
‎07-08-2022 11:14 AM
‎07-08-2022 11:14 AM
I was able to solve it by using below query.   field_A="US" field_B="true" | rex field_C="(?<ruleNameFired>.*[0-9,;]*field_D)"|stats count as ruleFired by ruleNameFired   this way I get the complete string value of field_C (including any value after any comma) and next fields name ( that can later on be removed from excel).   Thank you. ... View more

Re: Stats count comma delimited field

by in Splunk Search
‎07-04-2022 10:48 AM
‎07-04-2022 10:48 AM
Thank you @ITWhisperer @PickleRick    each event will be as below, where a tostring() of object will be print out, if this helps. 3 example events message=~ object [field_A=US, field_B=true, field_C=rule1, field_D=X, field_E=Y, field_F=Z] message=~ object [field_A=US, field_B=true, field_C=AB/CD,XYZ, <>DD,CT, field_D=X, field_E=Y, field_F=Z]   message=~ object [field_A=US, field_B=true, field_C=AB/CD,ABC, DD,CT, field_D=X, field_E=Y, field_F=Z]   I will discuss above internally.   Thank you         ... View more

Re: Stats count comma delimited field

by in Splunk Search
‎07-04-2022 10:13 AM
‎07-04-2022 10:13 AM
  field_A="US", field_B="true" | stats count as ruleFired by field_C   Sorry I'm new to Splunk. I'm not extracting field_C in my query at all, and for some reason it's working fine for the one that doesn't have comma. (above is the complete query) do I need to modify it to below?   field_A="US", field_B="true" | rex "field_C=\"(?<field_C>[^\"]+)\"" |stats count as ruleFired by field_C     ... View more

Re: Stats count comma delimited field

by in Splunk Search
‎07-04-2022 09:58 AM
‎07-04-2022 09:58 AM
Hi Thank you for the reply.   The issue is there are over few thousands unique value for field_C, and I can't list them all. The way I'm doing it, as long as field_A = US and field_B= true, then I know there was rule that triggered and the name of the rule will be set in field_C.  So I need to know how many time each rule got triggered. field_A="US", field_B="true" | stats count as ruleFired by field_C it works fine with above for most of them as long as there is no comma ',' in field_C. but if there is comma in field_c, it only capture whatever before ,  and if the difference between few rules name are after comma ',' , it wont be able to group them separately  ... View more

Help with stats count comma delimited field

by in Splunk Search
‎07-04-2022 09:17 AM
‎07-04-2022 09:17 AM
Hello all, I have an event that looks similar to the following: field_A="US", field_B="true", field_C="AB/CD,XYZ, <>DD,CT", field_D= "60" I am trying to get the count occurrence of field_C during the past 3 months by using below query: field_A="US", field_B="true" | stats count as ruleFired by field_C   It works fine for all the other values that don't have comma "," in field_C.   but if there is any comma in field_C the count doesn't calculated correctly.   for example all below will count as a same group   A -- > field_C="AB/CD,XYZ, <>DD,CT" A -- > field_C="AB/CD,XYZ, DD,CT" A -- > field_C="AB/CD,ABC, <>DD,CT" A -- > field_C="AB/CD,ABC, DD,CT" the result will be  AB/CD 4 Versus  AB/CD,XYZ, <>DD,CT 1 AB/CD,XYZ, DD,CT 1 AB/CD,ABC, <>DD,CT 1 AB/CD,ABC, DD,CT          1   Any help would be much appreciated. ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎07-08-2022 03:52 PM