Counting of a Particular Character in a Field

Counting of a Particular Character in a Field

     There are many ways to achieve the above scenario :

   1. Using "mvcount and split"  

      index="_internal" 

      | head 4 

      | eval Var="www.google.com" 

      | eval Result=(mvcount(split(Var,"."))-1) | table Var,Result

Var	Result
www.google.com	2
www.google.com	2
www.google.com	2
www.google.com	2

Explanation :

             In the above Example,We are trying to count the

             number of "." ( dots ) in the field "Var".

             With the help of "split" function we have split

             the words by "." split(Var,"."), so there 

             are three words coming "www","google" and "com"   

             and then we are taking the count of these words.

             mvcount(split(Var,".")). So,there are three words.

             But in order to achieve the output we have to 

             subtract "1" from the whole output.

             (mvcount(split(Var,"."))-1) whose result is stored

             in a newly created field called "Result"

Hope this has helped you in achieving the below requirement without fail :

Counting of a Particular Character in a Field

Happy Splunking !!