topic Re: Unique Errors for Last Week over All Time in Getting Data In

Unique Errors for Last Week over All Time

Joshua — Fri, 11 Feb 2011 18:31:34 GMT

I currently have a search set up to identify an individual error clustered to show the total count, detail and last seen timestamp output into a CSV table over all time. This search is scheduled to run/update weekly.

log_level="ERROR" | cluster field=error showcount=true countfield=count | table, _time, count, error | sort _time| outputcsv errorhistory.csv

My goal is to use this as a refrence point whereby I can run an identical search across a period of a week / day to cross reference if the individual error has ever been seen before from the all time csv i.e. a true new error.

I have attempted various lookup's however am now stuck for a way on how to work it.

Re: Unique Errors for Last Week over All Time

Rob — Fri, 11 Feb 2011 19:38:43 GMT

Have you tried taking a look at using either the "uniq" function with your search?

http://www.splunk.com/base/Documentation/4.1.7/SearchReference/Uniq

You could do something such as:

log_level="ERROR" | uniq | cluster field=error showcount=true countfield=count | table, _time, count, error | sort _time| outputcsv errorhistory.csv

Re: Unique Errors for Last Week over All Time

Joshua — Sat, 12 Feb 2011 00:31:29 GMT

I have tried used this command however it will only return unique results from the search window selected such as that week. Which i can get by adding | search(count=1) |

Rather I need the unique results (i.e. count equal to 1) for the week and have not appeared in the errorhistory.csv

Any thoughts?