Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to write a Regex to extract and list out the country names from my html formatted results ?

pavanae
Builder
‎10-07-2015 08:48 PM

The following were my html search results

<country>USA</country>
<country>CANADA</country>
<country>UK</country>
<country>AUSTRALIA</country>

How do I write the regex to extract and list out the countries and their count.

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ishaanshekhar
Communicator
‎10-08-2015 02:45 AM

First, if the search results you mentioned are separate events, then you are good. Else, you need to add this config in the Parsing Stage (Heavy Forwarder/Indexer):

props.conf:
SHOULD_LINEMERGE=false

Post that, use this regex in the search query to extract the Amount Due field and then calculate the average.

<...Initial Search...>|rex field=_raw "<country>(?< COUNTRY>.*)<\/country>"|stats count by COUNTRY as COUNTRY_COUNT

View solution in original post

Reply
Solved! Jump to solution

masonmorales
Influencer
‎10-08-2015 11:22 AM

Assuming those are all in the same event...

| rex max_match=0 "\<country\>(?<country>[^\<]+)"

Reference: http://docs.splunk.com/Documentation/Splunk/6.3.0/SearchReference/rex

0 Karma
Reply
Solved! Jump to solution
Solution

ishaanshekhar
Communicator
‎10-08-2015 02:45 AM

First, if the search results you mentioned are separate events, then you are good. Else, you need to add this config in the Parsing Stage (Heavy Forwarder/Indexer):

props.conf:
SHOULD_LINEMERGE=false

Post that, use this regex in the search query to extract the Amount Due field and then calculate the average.

<...Initial Search...>|rex field=_raw "<country>(?< COUNTRY>.*)<\/country>"|stats count by COUNTRY as COUNTRY_COUNT
Reply
Solved! Jump to solution

badrinath_itrs
Communicator
‎10-08-2015 03:22 AM

Please use the code options while pasting the answer so that the page should not exclude characters such as "< "etc..

Reply
Solved! Jump to solution

ishaanshekhar
Communicator
‎10-08-2015 04:46 AM

thanks badrinath! I edited my answer and now it is working fine.

0 Karma
Reply
Solved! Jump to solution

tom_frotscher
Builder
‎10-08-2015 01:10 AM

Is every line a seperated event, or are all lines united in one event?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...