Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search and count by multiple specific substrings in a field

chimuru84
Explorer
‎11-14-2023 06:36 AM

Hello. 

I have logs which contains field "matching" which is a String type. This field contains this kind of information: [firstName, lastName, mobileNumber, town, ipAddress, dateOfBirth, emailAddress, countryCode, fullAddress, postCode, etc]. What I want to do is to compose a query that will return count of a specific search, such as [mobileNumber, countryCode] and display only the fields that contain the above words.

I tried this query:

index="source*" | where matching LIKE "%mobileNumber%" AND matchingLIKE "%countryCode%"  | stats count by matching | table count matching

But the answer returns all the possible variants that also contains [mobileNumber, countryCode].

chimuru84_0-1699972201243.png

What I want is a count only for all this results

chimuru84_1-1699972441357.png

 

Also I want to create a table with all specific searches I do. I know how to use append, but result is like a stairs, what other solution can be used?

Than you!

 

Labels (5)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎11-16-2023 03:12 AM

In this case, you can easily adapt @ITWhisperer's first search.  If you want to be more stringent against edge cases, you can use regex.

Let me suggest some alternatives.  The first is the simplest:

index="source*" mobilePhoneNumber countryCode
| stats count by matchField

(AND is implied between SPL search terms.)

If this still give you more output than desired, try

index="source*" mobilePhoneNumber countryCode
| where match(matchField, "\bmobilePhoneNumber\b") AND match(matchField, "\bcountryCode\b")
| stats count by matchField

If for some odd reason the two terms in index search eliminates too many, you can get rid of them. (But it will be a lot more expensive.)

Hope this helps.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-14-2023 06:40 AM

Try converting matching to a multivalue field

index="source*" | where matching LIKE "%mobileNumber%" AND matching LIKE "%countryCode%"  
| eval matching=split(matching,",")
| stats count by matching | table count matching
Reply
Solved! Jump to solution

chimuru84
Explorer
‎11-14-2023 07:42 AM

This query is giving this result 

chimuru84_0-1699976413821.png

but, I want to count by 2 or more words. Thank You

1.jpg

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-14-2023 07:51 AM

Do you mean this?

index="source*" | where matching="mobileNumber,countryCode"  | stats count
0 Karma
Reply
Solved! Jump to solution

chimuru84
Explorer
‎11-14-2023 07:53 AM

yes, I tried like this, bus 0 events are returned

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-14-2023 07:55 AM

Please share a sample of the events you expect to be returned

0 Karma
Reply
Solved! Jump to solution

chimuru84
Explorer
‎11-14-2023 08:04 AM

This is a part of result. What I want, to get in one line only mobileNumber and countryCode, on other line lastName, firstName, not all log where this words are meet.

chimuru84_0-1699977795730.png

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-14-2023 08:47 AM

OK so that's not the actual event. So, going by what you have shared, try this

| where matching="[mobileNumber, countryCode]"
0 Karma
Reply
Solved! Jump to solution

chimuru84
Explorer
‎11-14-2023 10:05 AM

chimuru84_0-1699985125666.png

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-14-2023 10:10 AM

Without seeing the events, it is difficult to know what to suggest. Hopefully, previous answers will at least give you some ideas.

0 Karma
Reply
Solved! Jump to solution

chimuru84
Explorer
‎11-14-2023 10:53 AM

This is simple search, which give me this result. Result contains fields which contains "mobilePhoneNumber" OR "countryCode" OR "mobilePhoneNumber AND countryCode"

1.jpg

I want to return count (in one line) of all fields which contains both, mobilePhoneNumber and countryCode ("mobilePhoneNumber AND countryCode").

chimuru84_0-1700047130126.png

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎11-14-2023 08:30 PM

Pro tips:

  • Post data (real or emulated) in text.
  • Post how you want the result to be in text.
  • Explain the logic between the two.

The last screenshot is impossible.  Your search is "| stats count by matching" but the results table has header "matchingFields" instead.  Additionally, your very first screenshot looks like part of a spreadsheet; there is no space after comma, and no square brackets ([ and ]) on two ends.  Is this "match" text field bounded by brackets?  Are spaces present in this text field?  Further more, if "match" text exists in raw events, why not filter directly in index search?  There are only two possible combinations of MobileNumber and CountryCode.  You can do something like

index="source*" match IN ("[MobileNumber, CountryCode]", "[ContryCode, MobileNumber]")
| stats count by match

Bottom line, you need to describe and illustrate data precisely (anonymize as needed but keep characteristics accurate), and illustrate desired results clearly, then state your logic clearly.

 

0 Karma
Reply
Solved! Jump to solution

chimuru84
Explorer
‎11-15-2023 03:28 AM

This is simple search, which give me this result. Result contains fields which contains "mobilePhoneNumber" OR "countryCode" OR "mobilePhoneNumber AND countryCode"

1.jpg

I want to return count (in one line) of all fields which contains both, mobilePhoneNumber and countryCode ("mobilePhoneNumber AND countryCode").

chimuru84_0-1700047130126.png

0 Karma
Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎11-16-2023 03:12 AM

In this case, you can easily adapt @ITWhisperer's first search.  If you want to be more stringent against edge cases, you can use regex.

Let me suggest some alternatives.  The first is the simplest:

index="source*" mobilePhoneNumber countryCode
| stats count by matchField

(AND is implied between SPL search terms.)

If this still give you more output than desired, try

index="source*" mobilePhoneNumber countryCode
| where match(matchField, "\bmobilePhoneNumber\b") AND match(matchField, "\bcountryCode\b")
| stats count by matchField

If for some odd reason the two terms in index search eliminates too many, you can get rid of them. (But it will be a lot more expensive.)

Hope this helps.

0 Karma
Reply
Solved! Jump to solution

chimuru84
Explorer
‎11-16-2023 03:52 AM

Work fine, Thank you.

How can I ignore some value from result in same query, for example if I want to return only fields like second one in the screenshot. I mean, from first line in screenshot I want to exclude firstName, lastName and others. Thank you.

chimuru84_0-1700135368540.png

 

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎11-16-2023 10:08 AM

Again, please illustrate/emulate data in text.

Does "exclude firstName, lastName" mean to remove them for display purposes?  For that, you can use rex command's sed mode.  Like

| rex field=matchingField mode=sed "s/\bfirstName\b// s/, *,/,/ s/\[, */[/ s/, *\]/]/"
| rex field=matchingField mode=sed "s/\blastName\b// s/, *,/,/ s/\[, */[/ s/, *\]/]/"

 

0 Karma
Reply
Solved! Jump to solution

chimuru84
Explorer
‎11-16-2023 10:40 AM

I mean return all fields which does not contain firstName or lastName (do not remove them). Like in picture, second field does not contain firstName and lastName.

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎11-16-2023 08:23 PM

That would be logical NOT

index="source*" mobilePhoneNumber countryCode NOT firstName NOT lastName
| stats count by matchField
0 Karma
Reply
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...