Splunk table and regex filter

mnjmht18 · ‎12-16-2019

I have following data in "log" field,
date1 name : message one
date2 name : message two
date3 name : message one
date4 name : message one
date5 name : message three
date6 name : message three

i want to filter this and create a table as below,
columns
log - count
message one - 3
message two - 1
message three - 2

how can i achieve this?

vnravikumar · ‎12-16-2019

Hi @mnjmht18

Try any one of the following

| makeresults 
| eval log="date1 name : message one,date2 name : message two,date3 name : message one,date4 name : message one,date5 name : message three,date6 name : message three" 
| makemv delim="," log 
| mvexpand log 
| rex field=log "name :\s+(?P<log>[^:]+)$" 
| stats count by log

or

| makeresults 
| eval log="date1 name : message one,date2 name : message two,date3 name : message one,date4 name : message one,date5 name : message three,date6 name : message three" 
| makemv delim="," log 
| mvexpand log 
| eval log= mvindex(split(log,"name :"),-1) 
| stats count by log

richgalloway · ‎12-16-2019

Try this query.

... | rex field=log "name : (?<log>.*)"
| stats count by log

---
If this reply helps you, Karma would be appreciated.

Splunk table and regex filter

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life