Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Generating statistics from combined fields usi...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Generating statistics from combined fields using rex
josipj
New Member
11-21-2018
10:51 AM
Hi,
I'm having difficulty creating a splunk query which generates an overview of field combinations using regular expression. What I'm trying todo is to combine the fields 'code' and 'outCome' to a key and count the combination over a certain period of time. It is possible for the element 'code' not to be present if that is the case I would like to print it "NA". What I would expect the table to look like is:
Code:outCome:Occurences
NA:01:2
UNKOWN:02:1
KNOWN:01:1
Below the splunk query:
| makeresults
| eval _raw="<reply><result><sessiondId>1</sessiondId><resultChecks><resultCheck><personId/><address><street>streetName</street></address><outCome>01</outCome></resultCheck><resultCheck><personId/><address><street>streetName</street></address><outCome>01</outCome></resultCheck><resultCheck><personId/><code>UNKOWN</code><address><street>streetName</street></address><outCome>02</outCome></resultCheck><resultCheck><personId/><code>KNOWN</code><address><street>streetName</street></address><outCome>01</outCome></resultCheck><information><record><recordCode>1</recordCode><recordText>recordText</recordText></record></information></resultChecks></result></reply>"
| rex max_match=0 field=_raw "(code>(?<code>\w+)<\/code>.*?)?outCome>(?<outCome>.*?)<\/outCome>"
| table code, outCome
Any suggestions on how to do this?
Kind regards,
Josip
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
laurie_gellatly
Communicator
11-21-2018
06:20 PM
| makeresults
| eval _raw="<reply><result><sessiondId>1</sessiondId><resultChecks><resultCheck><personId/><address><street>streetName</street></address><outCome>01</outCome></resultCheck><resultCheck><personId/><address><street>streetName</street></address><outCome>01</outCome></resultCheck><resultCheck><personId/><code>UNKOWN</code><address><street>streetName</street></address><outCome>02</outCome></resultCheck><resultCheck><personId/><code>KNOWN</code><address><street>streetName</street></address><outCome>01</outCome></resultCheck><information><record><recordCode>1</recordCode><recordText>recordText</recordText></record></information></resultChecks></result></reply>"
| rex max_match=0 field=_raw mode=sed "s/Id\/><ad/Id\/><code>NA<\/code><ad/g"
| rex max_match=0 field=_raw "code>(?<CodeOut>.*?)<\/outCome"
| rex max_match=0 field=CodeOut mode=sed "s/<\/code.*Come>/:/"
| mvexpand CodeOut
| stats count by CodeOut
...Laurie:{)
Get Updates on the Splunk Community!
Building Reliable Asset and Identity Frameworks in Splunk ES
Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...
Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting
For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...
Automatic Discovery Part 3: Practical Use Cases
If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...
