https://community.splunk.com/t5/Splunk-Search/Displaying-2-counts-error-and-total/m-p/502827#M139924 <P>error message has to be extracted from raw text. Then i need to display total events count and error events count.</P> Tue, 24 Mar 2020 18:44:15 GMT shashankjuloori 2020-03-24T18:44:15Z https://community.splunk.com/t5/Splunk-Search/Displaying-2-counts-error-and-total/m-p/502825#M139922 <P>There is a requirement in which i need to display total count and errors(in total count). error message is in raw text.</P> Tue, 24 Mar 2020 17:27:59 GMT https://community.splunk.com/t5/Splunk-Search/Displaying-2-counts-error-and-total/m-p/502825#M139922 shashankjuloori 2020-03-24T17:27:59Z https://community.splunk.com/t5/Splunk-Search/Displaying-2-counts-error-and-total/m-p/502826#M139923 <P>Hi shashankjuloori.</P> <P>Not a lot to go on here. is the error message extracted in a field or only in _raw? Can you share an event or two of sample data to help out a bit|?</P> <P>./d </P> Tue, 24 Mar 2020 18:30:08 GMT https://community.splunk.com/t5/Splunk-Search/Displaying-2-counts-error-and-total/m-p/502826#M139923 darrenfuller 2020-03-24T18:30:08Z https://community.splunk.com/t5/Splunk-Search/Displaying-2-counts-error-and-total/m-p/502827#M139924 <P>error message has to be extracted from raw text. Then i need to display total events count and error events count.</P> Tue, 24 Mar 2020 18:44:15 GMT https://community.splunk.com/t5/Splunk-Search/Displaying-2-counts-error-and-total/m-p/502827#M139924 shashankjuloori 2020-03-24T18:44:15Z https://community.splunk.com/t5/Splunk-Search/Displaying-2-counts-error-and-total/m-p/502828#M139925 <P>Still not enough to work with. Please provide some sample events (mask private data) and desired output.</P> Tue, 24 Mar 2020 19:09:02 GMT https://community.splunk.com/t5/Splunk-Search/Displaying-2-counts-error-and-total/m-p/502828#M139925 richgalloway 2020-03-24T19:09:02Z https://community.splunk.com/t5/Splunk-Search/Displaying-2-counts-error-and-total/m-p/502829#M139926 <P>field1= || field2= || field3= || message------------error text ----------/message<BR /> this is the error message structure.</P> <P>here i need to separate the events which contains error text, suppose it to be errors and display both total count and error count.</P> Tue, 24 Mar 2020 19:21:25 GMT https://community.splunk.com/t5/Splunk-Search/Displaying-2-counts-error-and-total/m-p/502829#M139926 shashankjuloori 2020-03-24T19:21:25Z https://community.splunk.com/t5/Splunk-Search/Displaying-2-counts-error-and-total/m-p/502830#M139927 <P>we can extract <CODE>error text</CODE> and <CODE>message</CODE><BR /> but, isn't these actual logs?</P> Tue, 24 Mar 2020 21:24:28 GMT https://community.splunk.com/t5/Splunk-Search/Displaying-2-counts-error-and-total/m-p/502830#M139927 to4kawa 2020-03-24T21:24:28Z https://community.splunk.com/t5/Splunk-Search/Displaying-2-counts-error-and-total/m-p/502831#M139928 <P>Like this:</P> <PRE><CODE>... | rex to create error_text | stats dc(error_text) AS "error count" count AS "total count" by foundation | eventstats sum('total count') AS "grand total count" </CODE></PRE> Tue, 24 Mar 2020 23:30:14 GMT https://community.splunk.com/t5/Splunk-Search/Displaying-2-counts-error-and-total/m-p/502831#M139928 woodcock 2020-03-24T23:30:14Z https://community.splunk.com/t5/Splunk-Search/Displaying-2-counts-error-and-total/m-p/502832#M139929 <P>Sorry, i cant paste the logs due to security reasons.<BR /> Events are logged based on the field <CODE>foundation</CODE>, suppose A, B, C.<BR /> and logs will be like</P> <PRE><CODE>index=* Foundation=A | field1 | field2| ...message......errortest.../message index=* Foundation=A | field1 | field2| ...message......errortest.../message index=* Foundation=B | field1 | field2| ...message......errortest.../message index=* Foundation=C | field1 | field2| ...message......errortest.../message </CODE></PRE> <P>here i need to segregate the events based on the <CODE>error text</CODE> and <CODE>total count</CODE>, and the output should be like</P> <PRE><CODE>Foundation | error count | total count A count count B count count C count count </CODE></PRE> <P>and i am sorry for messing up the things.</P> Wed, 25 Mar 2020 10:39:20 GMT https://community.splunk.com/t5/Splunk-Search/Displaying-2-counts-error-and-total/m-p/502832#M139929 shashankjuloori 2020-03-25T10:39:20Z https://community.splunk.com/t5/Splunk-Search/Displaying-2-counts-error-and-total/m-p/502833#M139930 <P>Vague questions beget vague answers. @woodcock has the general idea. We must leave it to you to figure out how to extract the error text from each message since we don't have enough information about the structure of the messages.</P> Wed, 25 Mar 2020 12:48:09 GMT https://community.splunk.com/t5/Splunk-Search/Displaying-2-counts-error-and-total/m-p/502833#M139930 richgalloway 2020-03-25T12:48:09Z https://community.splunk.com/t5/Splunk-Search/Displaying-2-counts-error-and-total/m-p/502834#M139931 <P>I updated my vague answer.</P> Wed, 25 Mar 2020 14:14:11 GMT https://community.splunk.com/t5/Splunk-Search/Displaying-2-counts-error-and-total/m-p/502834#M139931 woodcock 2020-03-25T14:14:11Z https://community.splunk.com/t5/Splunk-Search/Displaying-2-counts-error-and-total/m-p/502835#M139932 <P>Thanks for the help.</P> Wed, 25 Mar 2020 14:16:37 GMT https://community.splunk.com/t5/Splunk-Search/Displaying-2-counts-error-and-total/m-p/502835#M139932 shashankjuloori 2020-03-25T14:16:37Z