- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to make combine multiple string searches a...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to make combine multiple string searches and count all combinations
I am logging some settings and whether they are enabled or disabled. I want to make a table combining some of the options. For example, here is my log entry:
[UserSettings] Player:Fred QC:1 QCAudio:0
I want to find the number of entries where QC is 1 and QCAudio is 1. I also want to find the number of entries where both are 0, and all other combinations.
Currently I am searching a single option with the following splunk search:
UserSettings | eval qcenabled=if(like(_raw, "%QC:1%"), "Enabled", "Disabled") | stats count by qcenabled
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How about giving this a try that will find all the combinations, give enabled and disabled for the combinations as well as "Other" in case it is not one of the two combinations you want. Hope it helps:
UserSettings
| rex field=_raw "\[UserSettings\]\s*Player\s*\:\s*(?<playerName>[\S]+)\s*QC\s*\:\s*(?<qcCount>[\S]+)\s*QCAudio\s*\:\s*(?<qcAudioCount>[\S]+)
| eval qcenabled=case( qcCount=1 AND qcAudioCount=1, "Enabled", qcCount=0 AND qcAudioCount=0,"Disabled", 1=1, "Other")
| stats count by qcCount, qcAudioCount, qcenabled
I have added some extra \s* in the above rex just to be safe in case there are some spaces here and there but that rex can compactly be written like below as well:
| rex field=_raw "\[UserSettings\]\s*Player\:(?<playerName>[\S]+)\s*QC\:(?<qcCount>[\S]+)\s*QCAudio\:(?<qcAudioCount>[\S]+)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've found a messy way to do it which is fine with only 4 possible combinations but any more and this would be very messy. Is there a more automatic way to do it?
UserSettings | eval qcenabled=if(like(message, "%QC:1%") AND like(message, "%QCAudio:1%"), "fully enabled", if(like(message, "%QC:0%") AND like(message, "%QCAudio:0%"), "fully disabled", "partially disabled")) | stats count by qcenabled
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have something working using:
UserSettings | eval qcenabled=if(like(_raw, "%QC:1%") AND like(_raw, "%QCAudio:1%"), "Both Enabled", "Something Disabled") | stats count by qcenabled
This only does a count of one single combination against all others, rather than soing all 4 combinations
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
