Home > Back-end >  Splunk - How to count occurrences of a string by an extracted field?
Splunk - How to count occurrences of a string by an extracted field?

Time:09-29

I have such log-entries:

First entry:

"abc","Id":"XYZ12"},{"lat":55},{"lat":45}{"lat":59}

Second entry:

"abc","Id":"YZA56"},{"lat":23},{"lat":101}

What I now want to get is the number of occurences of string "lat" per Id.

So in the end I would like to get a statistics like this one:

Id occurences
XYZ12 3
YZA56 2

How can I do this in Splunk? I would know how to get the Id and then count all the events by this Id. But I do not know what to do when I want to do the exercise upon..

Can someone support here?

CodePudding user response:

I'll assume no fields are extracted automatically.

Use the rex command to extract fields. We'll do two extractions: one for 'Id' and another for 'lat'. The second uses max_match=0 to allow for multiple hits.

index=foo
| rex "Id\\\:\\\"(?<Id>[^\\\"] )"
| rex max_match=0 "lat\\\":(?<lat>\d )"
| eval occurences=mvcount(lat)
| table Id occurences

Page link:https//www.codepudding.com/Backend/131565.html

Prev:How to combine two regex into one command in pandas [duplicate]
Next:Regex Expression for not accepting a single underscore but accepts single alphabet
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding