Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Generating statistics from combined fields usi...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Generating statistics from combined fields using rex
josipj
New Member
11-21-2018
10:51 AM
Hi,
I'm having difficulty creating a splunk query which generates an overview of field combinations using regular expression. What I'm trying todo is to combine the fields 'code' and 'outCome' to a key and count the combination over a certain period of time. It is possible for the element 'code' not to be present if that is the case I would like to print it "NA". What I would expect the table to look like is:
Code:outCome:Occurences
NA:01:2
UNKOWN:02:1
KNOWN:01:1
Below the splunk query:
| makeresults
| eval _raw="<reply><result><sessiondId>1</sessiondId><resultChecks><resultCheck><personId/><address><street>streetName</street></address><outCome>01</outCome></resultCheck><resultCheck><personId/><address><street>streetName</street></address><outCome>01</outCome></resultCheck><resultCheck><personId/><code>UNKOWN</code><address><street>streetName</street></address><outCome>02</outCome></resultCheck><resultCheck><personId/><code>KNOWN</code><address><street>streetName</street></address><outCome>01</outCome></resultCheck><information><record><recordCode>1</recordCode><recordText>recordText</recordText></record></information></resultChecks></result></reply>"
| rex max_match=0 field=_raw "(code>(?<code>\w+)<\/code>.*?)?outCome>(?<outCome>.*?)<\/outCome>"
| table code, outCome
Any suggestions on how to do this?
Kind regards,
Josip
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
laurie_gellatly
Communicator
11-21-2018
06:20 PM
| makeresults
| eval _raw="<reply><result><sessiondId>1</sessiondId><resultChecks><resultCheck><personId/><address><street>streetName</street></address><outCome>01</outCome></resultCheck><resultCheck><personId/><address><street>streetName</street></address><outCome>01</outCome></resultCheck><resultCheck><personId/><code>UNKOWN</code><address><street>streetName</street></address><outCome>02</outCome></resultCheck><resultCheck><personId/><code>KNOWN</code><address><street>streetName</street></address><outCome>01</outCome></resultCheck><information><record><recordCode>1</recordCode><recordText>recordText</recordText></record></information></resultChecks></result></reply>"
| rex max_match=0 field=_raw mode=sed "s/Id\/><ad/Id\/><code>NA<\/code><ad/g"
| rex max_match=0 field=_raw "code>(?<CodeOut>.*?)<\/outCome"
| rex max_match=0 field=CodeOut mode=sed "s/<\/code.*Come>/:/"
| mvexpand CodeOut
| stats count by CodeOut
...Laurie:{)
Get Updates on the Splunk Community!
Prove Your Splunk Prowess at .conf25—No Prereqs Required!
Your Next Big Security Credential: No Prerequisites Needed
We know you’ve got the skills, and now, earning the ...
Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code
This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
Splunk Answers Content Calendar, July Edition I
Hello Community!
Welcome to another month of Community Content Calendar series! For the month of July, we will ...
