In Splunk how to find the number of words based on the a pipe separator and add a value to it and assign it to a new filed

946 Views Asked by Boya Raghavendra At 12 April 2025 at 15:23

Hi Have an event like this shown below

Today's Greeting Messag=Hello|myname|name|is|Alice|myName|is|bob"}

How can i count the number of words between message= till "}. I have a | delimiter that should helps me to get the count of words in between. But for every count i want to add a specific number

example for above log i will get 8 words in between as count based on | separator. But for every count i would like to add some new number like 8+2 and the value to be updated to a new splunk field.

This will help in calculating if any event that is crossing the threshold of that value then i can trigger an alarm.

Some one please help me in getting this.

Original Q&A

There are 1 best solutions below

Simon Duff On 28 July 2020 at 22:42

You can try the following, which splits the string in to a multi value field of each word, then counts the number of values in that field. You can then add whatever numbers to the end as you need.

| eval msg_mv=split(msg,"|")
| eval words = mvcount(msg_mv)-1
| eval final_count = words+2

In Splunk how to find the number of words based on the a pipe separator and add a value to it and assign it to a new filed

There are 1 best solutions below

Related Questions in REGEX

Related Questions in SPLUNK

Related Questions in SPLUNK-QUERY

Related Questions in SPLUNK-CALCULATION

Related Questions in SPLUNK-FORMULA

Trending Questions

Popular # Hahtags

Popular Questions