Splunk Search

How to make combine multiple string searches and count all combinations

allanmb
Engager

I am logging some settings and whether they are enabled or disabled. I want to make a table combining some of the options. For example, here is my log entry:
[UserSettings] Player:Fred QC:1 QCAudio:0

I want to find the number of entries where QC is 1 and QCAudio is 1. I also want to find the number of entries where both are 0, and all other combinations.

Currently I am searching a single option with the following splunk search:

UserSettings | eval qcenabled=if(like(_raw, "%QC:1%"), "Enabled", "Disabled") | stats count by qcenabled
0 Karma

gokadroid
Motivator

How about giving this a try that will find all the combinations, give enabled and disabled for the combinations as well as "Other" in case it is not one of the two combinations you want. Hope it helps:

UserSettings 
| rex field=_raw "\[UserSettings\]\s*Player\s*\:\s*(?<playerName>[\S]+)\s*QC\s*\:\s*(?<qcCount>[\S]+)\s*QCAudio\s*\:\s*(?<qcAudioCount>[\S]+)
| eval qcenabled=case( qcCount=1 AND qcAudioCount=1, "Enabled", qcCount=0 AND qcAudioCount=0,"Disabled", 1=1, "Other") 
| stats count by qcCount, qcAudioCount, qcenabled

I have added some extra \s* in the above rex just to be safe in case there are some spaces here and there but that rex can compactly be written like below as well:

 | rex field=_raw "\[UserSettings\]\s*Player\:(?<playerName>[\S]+)\s*QC\:(?<qcCount>[\S]+)\s*QCAudio\:(?<qcAudioCount>[\S]+)
0 Karma

allanmb
Engager

I've found a messy way to do it which is fine with only 4 possible combinations but any more and this would be very messy. Is there a more automatic way to do it?

UserSettings | eval qcenabled=if(like(message, "%QC:1%") AND like(message, "%QCAudio:1%"), "fully enabled", if(like(message, "%QC:0%") AND like(message, "%QCAudio:0%"), "fully disabled", "partially disabled")) | stats count by qcenabled
0 Karma

allanmb
Engager

I have something working using:

UserSettings | eval qcenabled=if(like(_raw, "%QC:1%") AND like(_raw, "%QCAudio:1%"), "Both Enabled", "Something Disabled") | stats count by qcenabled

This only does a count of one single combination against all others, rather than soing all 4 combinations

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...