How To Find The Total Count of each Command used in Your SPLUNK Query
Lets say we have data from where we are getting the splunk queries as events. We have given an example below.
We have taken all the splunk queries in a tabular format by the “table” command.Here “_raw” is an existing internal field of the splunk.
Query
index=”splunk” sourcetype=”Basic”
| table _raw
Now we need to find the total count of each command used in these splunk queries. We can find the total count of each command in the splunk queries by the following query.
Query
index=”splunk” sourcetype=”Basic”
| table _raw
| eval A=split(_raw,”|”)
| mvexpand A
| search NOT A=”*index*”
| rex field=A “(?<Command>\w+)\s*”
| stats count by Command
| sort – count
| regex Command!=”\d+”
Result:
Explanation:
In the above query “_raw” is an existing internal field in the “splunk” index and sourcetype name is “Basic”.
At first by the “table” command we have taken the “_raw” field.Then we have splitted the “_raw” field by the “split” function and made a multi-value field “A”. After that by the “mvexpand” command we have made the “A” field into a single-value field. Then by the “search” command we have excluded the undesired rows from the result set. Next we have extracted the commands from the field “A” by the “rex” command. So we have got a list of commands in the “Command” field.Then we have taken the count of the each of the commands by the “stats” command. After that we have sorted the count of the commands by the “sort” command in a descending order. At last we have taken the desired output by the “regex” command.
Hope this has helped you in achieving the below requirement without fail :
How To Find The Total Count of each Command used in Your SPLUNK Query
Happy Splunking !!