How to explicitly count an occurrence of a string ...

WyldeRhoads · ‎12-19-2017

I am trying to count the occurrence of some specific strings in a field value. The below query works for counting occurences, but there are some strings that have similar names, and because of this the values can be inflated.

The results field is not formatted, and can contain the string BikeNew, BikeOld, and just Bike. The problem here is that searching for %Bike% will return counts for all 3, and therefor the new value "currentBikes" will count all 3 different bike variables. Is there a way to explicitly search for only Bike ?

index=foo source=bar
| eval newBikes = = if(like(resultsField,"%BikeNEW%"),1,0)
| eval currentBikes = = if(like(resultsField,"%Bike%"),1,0)
| eval oldBikes = = if(like(resultsField,"%BikeOLD%"),1,0)
| stats sum(currentBikes) AS currentBikeCount, sum(oldBikes) as oldBikeCount, sum(newBikes) as newBikeCount

yannK · ‎12-19-2017

As a first method, if your string "Bike" is surrounded by spaces, you can use
eval currentBikes = = if(like(resultsField,"% Bike %"),1,0)

but a proper method could be to use a regex instead of a like.

| rex field= resultsField "(?<bike_type>(Bike[^NO]|BikeNEW|BikeOLD)" 
| stats count by bike_type

micahkemp · ‎12-19-2017

rex "(?<plain_bike>Bike(?![ON]))"

That will create a field plain_bike when the word Bike is not followed by O or N.

Or, this will create a field you can use to count by bike:

rex "(?<bike>Bike(NEW|OLD)?)"

How to explicitly count an occurrence of a string when another similar string exists

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases