Reporting

Like command not working as expected - I need a count of each pattern that matches the source

smuderasi
Explorer

Here is my search, which does not return anything 😞 .The "source like Patterns" is not working.

index=cio_billing host=amsokennl01 | eval Day=strftime(now(),"%a") | lookup job_schedule2  Day as Day OUTPUT Pattern as Patterns | where source like Patterns | stats count as actual_count  BY Patterns   | table Patterns source Day actual_count

Pattern:

%arb_usg_mps%06%
arbor_collections
pst_nl_arb_payment_processing
%arbor_collections%16.30%
%arb_pay_emergency_payments%
%arb_usg_mps%12%

Source:

pst_pe_arb_usg_mps_2017.08.13_06.30.13.log
pst_pe_arbor_collections_2017.08.14_02.00.06.log
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi
let me better understand: you have a lookup with all the patterns you want to search as string or substring in your events, and then you want to use the found patterns in stats, is this correct?
I had this problem last year and i received a solution here https://answers.splunk.com/answers/479831/how-to-search-for-a-pair-of-substrings-in-a-subsea.html
The main problem is that to search from a lookup as string you have to use the "query" field but after search you haven't memory of the used "query".

So if could be useful only to search, you can use this

index=cio_billing host=amsokennl01 
[ | inputlookup job_schedule2 | search Day=strftime(now(),"%a") | rename Pattern AS Query  | fields query ]
| table source Day  _raw

If instead you want all the solution, you have to follow the below answer and trying something like this

index=cio_billing host=amsokennl01 
 [ | inputlookup job_schedule2 | search Day=strftime(now(),"%a") | rename Pattern AS Query  | fields query ]
| rename _raw as rawText
| eval Pattern=[
    | inputlookup job_schedule2 
    | rename Pattern AS Query 
    | stats values(query) AS query 
    | eval query=mvjoin(query,",") 
    | fields query 
    | format "" "" "" "" "" ""
    ]
| eval Pattern=split(Pattern,",") 
| mvexpand Pattern
| where like(rawText,Pattern)
| stats count as actual_count BY Patterns 
| table Patterns source Day actual_count

Bye.
Giuseppe

0 Karma

HiroshiSatoh
Champion

What is the output you want? Do you need to compile each pattern?

<In case of just extracting>
    index=cio_billing host=amsokennl01
    [
    |inputlookup job_schedule2 
    | eval wk_Day=strftime(now(),"%a") 
    | where Day=wk_Day
    |rename Pattern as source
    |table source
    ]・・・・・

<Number of cases per pattern>    
    |inputlookup job_schedule2 
    | eval wk_Day=strftime(now(),"%a") 
    |where Day=wk_Day
    |map search="search index=cio_billing host=amsokennl01 source=$Pattern$ |stats count |table $Day$,$Pattern$,count"

    Pattern:※%->*
    *arb_usg_mps*06*
    arbor_collections
    pst_nl_arb_payment_processing
    *arbor_collections*16.30*
    *arb_pay_emergency_payments*
    *arb_usg_mps*12*
0 Karma

smuderasi
Explorer

I need count of each Patterns matching the source

0 Karma

HiroshiSatoh
Champion

The search sentence was corrected to the number of cases per pattern.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...