I have log entries containing counts per country in format:
Map(USA -> 1234, CAN -> 5678, GBR -> 9012, FRA -> 3456)
Map(USA -> 1238, CAN -> 5692, GBR -> 9024, FRA -> 3478)
...
I want to make a timechart in Splunk with one series per country.
This is what I tried:
| rex "Map\((?<countries>([A-Z]+\ ->\ \d+(,\ )?)*)\)" | rex field=countries max_match=50 "(?<countries>[A-Z]+\ ->\ \d+)(,\ )?" | table _time countries
That works great and gives us two columns:
Then I tried to create a timechart, I replaced:
| table _time countries
with:
| rex field=countries (?<country>[A-Z]+)\ ->\ (?<count>\d+) | timechart count by country limit=0
But the result is that all counts are taken from the last country in the list.
How can I extract the counts per country for all items in array?
The following rex
s should be sufficient to extract the country names and counts
| makeresults
| eval m="Map(USA -> 1234, CAN -> 5678, GBR -> 9012, FRA -> 3456)"
| rex field=m max_match=0 "(?<cc>\w+\s+->\s+\d+)"
| mvexpand cc
| rex field=cc "(?<country>\w+) -> (?<count>\d+)"
| fields country, count
| eval {country}=count
| fields - country, count