Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to count the results of a rex that returns multiple matches as a single group of matches?

bschaap
Path Finder
‎09-20-2017 07:15 AM

I have results from a rex statement that looks something like the first set of results. The rex returns multiple matches per row. I am trying to use the stats function to group multiple matches as a single group (see Desired). However, my stats statement currently sees each match as a separate group (see Not Desired). Is there a way to return the Desired result?

Multi-match rex results
namespace
.........................................................
System.ServiceModel.Channels
System.ServiceModel.Dispatcher
..........................................................
System.ServiceModel.Channels
System.ServiceModel.Dispatcher
..........................................................

Statement
... |stats count by namespace

Desired
namespace count
.........................................................................................
System.ServiceModel.Channels 2
System.ServiceModel.Dispatcher
.........................................................................................

Not Desired
namespace count
.........................................................................................
System.ServiceModel.Channels 1
System.ServiceModel.Dispatcher 1
.........................................................................................

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎09-20-2017 09:36 AM

Give this a try. The nomv command will convert your multivalued field to regular, linear field. This way the stats will treat them as one group, instead of individual values. 

index="prod" sourcetype="app_logging_exceptions" ExStackTrace<>"" ExGlobalException="1" | rex field=ExStackTrace "(?: *)at (?:(?[\w\d_.]*)\.)?(?[\w\d_.]*(\.[\w\d_.<>]+)?)\.(?[\w\d_\[\]<>]*)\((?:(?[\w\d_]+(?:\[\]|&|\*)? [\w\d_]+)(?:, )?)*\)(?: *in *(?[^:]+(?::[^:]+)?))?(?::line *(?\d+))?" max_match=100| table namespace | nomv namespace | stats count by namespace | makemv namespace

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎09-20-2017 09:36 AM

Give this a try. The nomv command will convert your multivalued field to regular, linear field. This way the stats will treat them as one group, instead of individual values. 

index="prod" sourcetype="app_logging_exceptions" ExStackTrace<>"" ExGlobalException="1" | rex field=ExStackTrace "(?: *)at (?:(?[\w\d_.]*)\.)?(?[\w\d_.]*(\.[\w\d_.<>]+)?)\.(?[\w\d_\[\]<>]*)\((?:(?[\w\d_]+(?:\[\]|&|\*)? [\w\d_]+)(?:, )?)*\)(?: *in *(?[^:]+(?::[^:]+)?))?(?::line *(?\d+))?" max_match=100| table namespace | nomv namespace | stats count by namespace | makemv namespace
Reply
Solved! Jump to solution

bschaap
Path Finder
‎09-20-2017 10:13 AM

It works! Thank everyone.

0 Karma
Reply
Solved! Jump to solution

cpetterborg
SplunkTrust
SplunkTrust
‎09-20-2017 08:23 AM

Not being able to see more of your search, and assuming a few things from what you said, I'd attempt the following:

<your search> | mvexpand namespace | stats count by namespace
0 Karma
Reply
Solved! Jump to solution

bschaap
Path Finder
‎09-20-2017 08:43 AM

I appreciate the response. Unfortunately, mvexpand namespace didn't do what I expected. This is my original search. The results return all the namespaces within the stacktrace for a row. I would like to group each set of matches within a stacktrace and return a count. Instead, it's grouping on each individual match. Hope this makes sense.

index="prod" sourcetype="app_logging_exceptions" ExStackTrace<>"" ExGlobalException="1" | rex field=ExStackTrace "(?: *)at (?:(?[\w\d_.]*)\.)?(?[\w\d_.]*(\.[\w\d_.<>]+)?)\.(?[\w\d_\[\]<>]*)\((?:(?[\w\d_]+(?:\[\]|&|\*)? [\w\d_]+)(?:, )?)*\)(?: *in *(?[^:]+(?::[^:]+)?))?(?::line *(?\d+))?" max_match=100| table namespace
0 Karma
Reply
Solved! Jump to solution

cpetterborg
SplunkTrust
SplunkTrust
‎09-20-2017 09:44 AM

OOPS. @somesoni2 got it right. I got my mv commands mixed up when I submitted, and I didn't check my answer first. Gotta make sure I check things before I submit!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...