Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Need a query to find count of substring within string

caschmid
New Member
3 weeks ago

I need a query that will tell me the count of a substring within a string like this ...

"This is my [string]" and I need find the word and count of [string]. "This is my" is always the same but [string] is dynamic and can be many things, such as apple, banana etc. I need tabular data returned to look like 

Word           Count

apple          3

I tried this but doesnt seem to working 

rex field=_raw ".*This is my (?<string>\d+).*" | stats count by string 

 

Labels (1)
Labels
0 Karma
Reply

Prewin27
Communicator
3 weeks ago

@caschmid 

\d+ matches only digits, not any word.

If "This is my" is always constant, you can try below
rex field=_raw "This is my (?<string>\w+)" | stats count by string


Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks!

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
3 weeks ago

Two problems with your regex.

  1. \d represents a digit 0-9.  Unless your "string" only includes digits, \d+ will not match.
  2. As @livehybrid notes, your original string includes a pair of square brackets.

A usable code to extract "apple" from "This is my [apple]" would be

| rex "This is my \[(?<string>[^\]]+)\]"
| stats count by string

Note:

  • _raw is the default field for rex command.
  • .* at beginning and end of a regex serves no purpose except adding cost.
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
3 weeks ago

In addition to the other comments, you don't need the .* at the start and end of the regex

0 Karma
Reply

livehybrid
Super Champion
3 weeks ago

Hi @caschmid 

Would something like this work for you? This assumes you know the string you want count, is that right?

livehybrid_0-1749586546263.png

 

| rex max_match=100 field=_raw "(?<extract>\[string\])"
| stats count by extract

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
3 weeks ago

Use https://regex101.com to verify your regexes.

In this case it won't work for "string" not being a number because \d+ means a sequence of digits. Depending on how precise you want to be with this match, you might want \S+ or some other variation.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What did the zero say to the eight?

June 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...

Splunk Observability Cloud's AI Assistant in Action Series: Onboarding New Hires & ...

This is the fifth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Now Playing: Splunk Education Summer Learning Premieres

It’s premiere season, and Splunk Education is rolling out new releases you won’t want to miss. Whether you’re ...
OSZAR »