How to Match multiple “|” in the same event in Splunk Query Using REX in SPLUNK
Lets say we have data from where we are getting the splunk queries as events. We have given an example below.
We have taken all the splunk queries in a tabular format by the “table” command. Here “_raw” is an existing internal field of the splunk.
Query
index=”splunk” sourcetype=”Basic”
| table _raw
Now we want to match multiple “|” in the same event of splunk queries using rex . We can match multiple “|” in the same event of splunk queries by the following query.
Query
index=”splunk” sourcetype=”Basic”
| table _raw
| rex max_match=100 field=_raw “(?msi)\|\s*(?<Command>\w+)”
| mvexpand Command
| stats count by Command
| sort – count
Result:
Explanation:
In the above query “_raw” is an existing internal field in the “splunk” index and sourcetype name is “Basic”.
At first by the “table” command we have taken the “_raw” field . By the “rex” command we have matched the multiple “|” in the same event and extracted the commands from each of the splunk queries in the “Command” field, which will be a multi-value field. After that by the “mvexpand” we have made the “Command” field into a single-value field. So we have got a list of commands in the “Command” field.Then we have taken the count of the each of the commands by the “stats” command. After that we have sorted the count of the commands by the “sort” command in a descending order.
Hope this has helped you in achieving the below requirement without fail :
How to Match multiple “|” in the same event in Splunk Query Using REX in SPLUNK
Happy Splunking !!
Thanks for the step by step process explanation , easy to implement for a layman with splunk
Thanks Suresh !!