Solved: using dc, showing _raw field

tedder · ‎11-30-2010

This should be easy. I'm building a query:

index=asdf "search string" | rex field=_raw mode=sed "s/.*foo(.*?)bar/\1/"

Great. Now it returns a portion of the log that I want to see. I need to "count and group" that now.

index=asdf "search string" | rex field=_raw mode=sed "s/.*foo(.*?)bar/\1/" | stats count by _raw

Hmm. That just returns raw counts, but not the data. Forcing it causes nothing to return:

index=asdf "search string" | rex field=_raw mode=sed "s/.*foo(.*?)bar/\1/" | stats count by _raw as dcount | fields _raw

So, given the first query, can someone add "count and group, sort by top counts" to it? Yes, I know this can theoretically be a field extraction, but I don't want that in this case.

ziegfried · ‎11-30-2010

The _raw field isn't displayed in the results, because it begins with an underscore. You have to rename it in order to be displayed in the result:

index=asdf "search string" | rex field=_raw mode=sed "s/.*foo(.*?)bar/\1/" | rename _raw as raw | stats count by raw

View solution in original post

ziegfried · ‎11-30-2010

The _raw field isn't displayed in the results, because it begins with an underscore. You have to rename it in order to be displayed in the result:

index=asdf "search string" | rex field=_raw mode=sed "s/.*foo(.*?)bar/\1/" | rename _raw as raw | stats count by raw

tedder · ‎11-30-2010

exactly what I needed. Thanks.

using dc, showing _raw field

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms