topic Re: How to count from raw lines? in Splunk Search

How to count from raw lines?

ndiphe13 — Tue, 29 Sep 2020 18:22:47 GMT

I have a lot of RAW data with this format:
date_time,serverA,down
date_time,serverB,down
date_time,serverA,down
date_time,serverA,down
date_time,serverA,up
date_time,serverB,up

How to count that raw data so we can have the following result?
server | up | down|
serverA | 1 | 3 |
serverB | 1 | 1 |

Thanks,
Andi

Re: How to count from raw lines?

niketn — Tue, 13 Mar 2018 09:15:18 GMT

@ndiphe13, following is a run anywhere search based on the sample data and output provided in the question. The commands from | makeresults till | rename data as _raw generate the mock data. You can use your base search instead.

| makeresults
| eval data="date_time,serverA,down;date_time,serverB,down;date_time,serverA,down;date_time,serverA,down;date_time,serverA,up;date_time,serverB,up"
| makemv data delim=";" 
| mvexpand data
| rename data as _raw
| makemv _raw delim=","
| eval server=mvindex(_raw,1),status=mvindex(_raw,2)
| chart count over server by status

PS: Since you already have command delimited data, you can use props.conf to generate the fields server and status during search time. That way you will not require makemv and eval commands

<YourBaseSearch>
| chart count over server by status

Re: How to count from raw lines?

ndiphe13 — Wed, 14 Mar 2018 02:37:42 GMT

Thanks @niketnilay for your great sharing. Ive done some changes in the props.conf and transform.conf. The output is exactly what I am expected.

props.conf

[syslog]
REPORT-fields=commafields

transform.conf

   [commafields]
    DELIMS = ","
    FIELDS = date_time, server, sensor, status, remark

My Search

  <MyBaseSearch> | chart count over server by status

Re: How to count from raw lines?

niketn — Wed, 14 Mar 2018 03:02:41 GMT

Perfect!!! Way to go. 🙂