Splunk Search

How to count field with string and empty string and draw a chart ?

annalwins
Engager

I have below format of data. I would like to count email with empty string as anonymous and email with any string as customer and would like to draw a chart for the same.
email= ,status='yes'
email=abced@gmail.com ,status='yes'
email=ced@gmail.com ,status='yes'

Tags (1)
0 Karma
1 Solution

adityapavan18
Contributor

You can try something like this:

| rex "email=(?[^\,]*)" | eval emailtype = if(email==" ","Anonymous","Customer") | stats count by emailtype

View solution in original post

annalwins
Engager

It works as I expected.
[1] Can you explain me about this rex. How does email="" string goes to Anonymous and email=äbcd.gmail.com goes to customer?
[2] How can I get avg customer from this ?

0 Karma

adityapavan18
Contributor

Its simple, the rex i mentioned extracts everything between the string "email=" and the comma(,).
In case of proper email id's it extract email id's, but when there is no email Id there is only a blank space and that is extracted.
Now in my eval statement i am checking if email value is a blank space if yes i am setting a variable emailtype as Anonymous else as Customer. Hope that helps.

0 Karma

adityapavan18
Contributor

You can try something like this:

| rex "email=(?[^\,]*)" | eval emailtype = if(email==" ","Anonymous","Customer") | stats count by emailtype

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...