topic How to make whole Statement as a field? in Splunk Search

How to make whole Statement as a field?

jw44250 — Mon, 01 May 2017 15:34:24 GMT

I have a search base like below and want to put the count as 1.

index=index1 test machine is not responding java.lang.NullPointerException as "test" | stats  count by test | dedup test

My count is 0

Re: How to make whole Statement as a field?

somesoni2 — Mon, 01 May 2017 15:41:06 GMT

The stats commands works upon the fields. Assuming whatever string you've on base search you want to show count of it, Try one of following methods.

index=index1 test machine is not responding java.lang.NullPointerException | stats count  | eval test="test machine is not responding java.lang.NullPointerException " | table test count

 index=index1 test machine is not responding java.lang.NullPointerException | rex "(?<test>test machine is not responding java.lang.NullPointerException)"  | stats count by test

Re: How to make whole Statement as a field?

jw44250 — Mon, 01 May 2017 16:27:33 GMT

Thanks. let me try it.

can i do soemthing like this, it works but not gettign any result
index=index1 test machine is not responding java.lang.NullPointerException as "testmachine" | stats count by testmachine

Re: How to make whole Statement as a field?

somesoni2 — Mon, 01 May 2017 16:30:34 GMT

No you can't. YOu can't assign a field name to a string. You would need to have it extracted (like option 2) before you could use it.