https://community.splunk.com/t5/Splunk-Search/Counting-occurences-of-5-specific-strings-in-logs/m-p/295713#M160343 <P>@adonio, we all learn from each other. Your immaculate answers are always worth reading and most of the time I go BINGO, that is how it is done <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> Thanks!</P> Wed, 05 Jul 2017 11:41:36 GMT niketn 2017-07-05T11:41:36Z https://community.splunk.com/t5/Splunk-Search/Counting-occurences-of-5-specific-strings-in-logs/m-p/295710#M160340 <P>For a given sourcetype=src I have to search for five specific strings (let it be "abc", "def", "ghi", "jkl", "mno") occuring in the log and give the counts of each of these strings for every 10 minutes.</P> <P>I had thought of doing it using join after calculating counts for each separately. Is there any better way of doing it since the sourcetype is the same.<BR /> For each individual 1 I had planned to use the query<BR /> index=cm sourcetype=src "abc"| timechart span=10m count |join _time [....]</P> Wed, 05 Jul 2017 10:19:55 GMT https://community.splunk.com/t5/Splunk-Search/Counting-occurences-of-5-specific-strings-in-logs/m-p/295710#M160340 AshimaE 2017-07-05T10:19:55Z https://community.splunk.com/t5/Splunk-Search/Counting-occurences-of-5-specific-strings-in-logs/m-p/295711#M160341 <P>@AshimaE, If the strings are not already extracted as fields you can use <STRONG>searchmatch</STRONG> eval function to count the same.</P> <PRE><CODE>index=cm sourcetype=src ("abc" OR "def" OR "ghi" OR "jkl" OR "mno") | timechart span=10m count(eval(searchmatch("abc"))) as "abc" count(eval(searchmatch("def"))) as "def" count(eval(searchmatch("ghi"))) as "ghi" count(eval(searchmatch("jkl"))) as "jkl" count(eval(searchmatch("mno"))) as "mno" </CODE></PRE> <P>Since you are currently doing/planning this with join I am expecting events are not overlapping, i.e. event with "abc" will not have "def" and so on. If it does there will be different approach required. Please try out and confirm.</P> Wed, 05 Jul 2017 10:54:31 GMT https://community.splunk.com/t5/Splunk-Search/Counting-occurences-of-5-specific-strings-in-logs/m-p/295711#M160341 niketn 2017-07-05T10:54:31Z https://community.splunk.com/t5/Splunk-Search/Counting-occurences-of-5-specific-strings-in-logs/m-p/295712#M160342 <P>up-voting, i learned something new today!<BR /> thanks @niketnilay</P> Wed, 05 Jul 2017 11:29:03 GMT https://community.splunk.com/t5/Splunk-Search/Counting-occurences-of-5-specific-strings-in-logs/m-p/295712#M160342 adonio 2017-07-05T11:29:03Z https://community.splunk.com/t5/Splunk-Search/Counting-occurences-of-5-specific-strings-in-logs/m-p/295713#M160343 <P>@adonio, we all learn from each other. Your immaculate answers are always worth reading and most of the time I go BINGO, that is how it is done <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> Thanks!</P> Wed, 05 Jul 2017 11:41:36 GMT https://community.splunk.com/t5/Splunk-Search/Counting-occurences-of-5-specific-strings-in-logs/m-p/295713#M160343 niketn 2017-07-05T11:41:36Z https://community.splunk.com/t5/Splunk-Search/Counting-occurences-of-5-specific-strings-in-logs/m-p/295714#M160344 <P>Yes they do not overlap so this approach works good with my purpose. Thanks a lot @niketnilay</P> Thu, 06 Jul 2017 07:08:15 GMT https://community.splunk.com/t5/Splunk-Search/Counting-occurences-of-5-specific-strings-in-logs/m-p/295714#M160344 AshimaE 2017-07-06T07:08:15Z https://community.splunk.com/t5/Splunk-Search/Counting-occurences-of-5-specific-strings-in-logs/m-p/295715#M160345 <P>Glad it worked!!! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 06 Jul 2017 08:12:40 GMT https://community.splunk.com/t5/Splunk-Search/Counting-occurences-of-5-specific-strings-in-logs/m-p/295715#M160345 niketn 2017-07-06T08:12:40Z