Phrase Frequency
I want to query for the number of times a phrase shows up in the default message field. I understand how to count the number of messages it shows up in, but this phrase can show up multiple times within the same message. This is due to the way our server batches log writing.
How would I go about doing this?
Eg. I have a phrase "some phrase to count", and I want to count the total number of times it appears in the logs, even within the same message.
-
Hi Matt,
You could probably try a "parse regex" along with the "multi" option to parse out each occurrence of the string within an individual message. Then you can count on that field to get the full number of occurrences within all the messages in the timerange. Here is an example.
| parse regex "(?<phrase>some phrase to count)" multi
| count by phrase
If you want to get a count of the occurances just within each distinct message you can add an additional field to the count operation to count by each "raw" message.| parse regex "(?<phrase>some phrase to count)" multi
| count by phrase, _raw
More info on the parse regex and the "multi" option can be found in the help here.
Please sign in to leave a comment.
Comments
1 comment