How to Match multiple “|” in the same event in Splunk Query Using REX in SPLUNK

Lets say we have data from where we are getting the splunk queries as events. We have given an example below.

SC_1

We have taken all the splunk queries in a tabular format by the “table” command. Here “_raw” is an existing internal field of the splunk.

Query

index=”splunk” sourcetype=”Basic”
| table  _raw

sc2

Now we want to match multiple “|” in the same event of  splunk queries using rex . We can match multiple “|” in the same event of  splunk queries by the following query.

Query

index=”splunk” sourcetype=”Basic”
| table  _raw
| rex max_match=100 field=_raw “(?msi)\|\s*(?<Command>\w+)”
| mvexpand Command
| stats count by Command
| sort – count

Result:

sc3

Explanation:

In the above query “_raw” is an existing internal field in the “splunk” index and sourcetype name is “Basic”.

At first by the “table” command we have taken the “_raw” field . By the “rex” command we have matched the multiple “|” in the same event and extracted the  commands from each of the splunk queries in the “Command” field, which will be a multi-value field. After that by the “mvexpand” we have made the “Command” field into a single-value field. So we have got a list of commands in the “Command” field.Then we have taken the count of the each of the commands by the “stats” command. After that we have sorted the count of the commands by the “sort” command in a descending order.

 

Hope this has helped you in achieving the below requirement without fail :  

How to Match multiple “|” in the same event in Splunk Query Using REX in SPLUNK

Happy Splunking !!

 

Advertisements