How To Find The Total Count of each Command used in Your SPLUNK Query

Lets say we have data from where we are getting the splunk queries as events. We have given an example below.

SC_1

We have taken all the splunk queries in a tabular format by the “table” command.Here “_raw” is an existing internal field of the splunk.

Query

index=”splunk” sourcetype=”Basic”
| table  _raw

sc2

Now we need to find the total count of each command used in these splunk queries. We can find the total count of each command in the splunk queries by the following query.

Query

index=”splunk” sourcetype=”Basic”
| table  _raw
| eval A=split(_raw,”|”)
| mvexpand A
| search NOT A=”*index*”
| rex field=A “(?<Command>\w+)\s*”
| stats count by Command
| sort – count
| regex Command!=”\d+”

Result:

sc3

Explanation:

In the above query “_raw” is an existing internal field in the “splunk” index and sourcetype name is “Basic”.

At first by the “table” command we have taken the “_raw” field.Then we have splitted the “_raw” field by the “split” function  and made a multi-value field “A”. After that by the “mvexpand” command we have made the “A” field into a single-value field. Then by the “search” command we have excluded the undesired rows from the result set. Next we have extracted the commands from the field “A” by the “rex” command. So we have got a list of commands in the “Command” field.Then we have taken the count of the each of the commands by the “stats” command. After that we have sorted the count of the commands by the “sort” command in a descending order. At last we have taken the desired output by the “regex” command.

 

Hope this has helped you in achieving the below requirement without fail :  

How To Find The Total Count of each Command used in Your SPLUNK Query

Happy Splunking !!

Advertisements