https://community.splunk.com/t5/Splunk-Search/How-to-list-count-of-Error-messages/m-p/203464#M176685 <P>Yep in this case the answer of richgalloway is the more accurate. As I said. It only was quick and dirty.</P> Tue, 20 Sep 2016 13:56:14 GMT PPape 2016-09-20T13:56:14Z https://community.splunk.com/t5/Splunk-Search/How-to-list-count-of-Error-messages/m-p/203459#M176680 <P>I have multiple error messages in the logs and I do count by ErrorMessage. The error messages gets listed as below.</P> <P><STRONG>ErrorMessage</STRONG> <STRONG>Count</STRONG><BR /> Execute Hedging Failed <STRONG>427</STRONG><BR /> Execute Risk Failed <STRONG>727</STRONG><BR /> Unable to create parallel trade for trade ID 12345 <STRONG>400</STRONG><BR /> Unable to create parallel trade for trade ID 23456 <STRONG>326</STRONG></P> <P>In the table above error message 1 and 2 are valid but the 3rd and 4th are the same except for the trade ID difference. I want to tweak my query in such a way that 3 and 4 are joined together and I get Unable to create parallel trade <STRONG>726</STRONG> (400+326).</P> <P>My current query: index=XYZ sourcetype="Apache Log" Error | Stats count by PT_ErrMsg. PT_ErrMsg is field extract created for getting error message.</P> Tue, 29 Sep 2020 11:03:22 GMT https://community.splunk.com/t5/Splunk-Search/How-to-list-count-of-Error-messages/m-p/203459#M176680 AravindSridhara 2020-09-29T11:03:22Z https://community.splunk.com/t5/Splunk-Search/How-to-list-count-of-Error-messages/m-p/203460#M176681 <P>You'll need to convert similar error messages into a common form. Try this:</P> <PRE><CODE>index=XYZ sourcetype="Apache Log" Error | eval PT_ErrMsg=case(match(PT_ErrMsg,"Unable to create parallel trade for trade ID.*"),"Unable to create parallel trade for trade ID" , 1=1, PT_ErrMsg) | Stats count by PT_ErrMsg </CODE></PRE> Tue, 20 Sep 2016 12:34:10 GMT https://community.splunk.com/t5/Splunk-Search/How-to-list-count-of-Error-messages/m-p/203460#M176681 richgalloway 2016-09-20T12:34:10Z https://community.splunk.com/t5/Splunk-Search/How-to-list-count-of-Error-messages/m-p/203461#M176682 <P>quick and dirty:</P> <PRE><CODE>index=XYZ sourcetype="Apache Log" Error | eval ErrorMsg = if(like(PT_ErrMsg,"Unable to create parallel trade for trade ID%"),"Unable to create parallel trade for trade ID",PT_ErrMsg) | Stats count by PT_ErrMsg </CODE></PRE> Tue, 20 Sep 2016 12:41:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-list-count-of-Error-messages/m-p/203461#M176682 PPape 2016-09-20T12:41:52Z https://community.splunk.com/t5/Splunk-Search/How-to-list-count-of-Error-messages/m-p/203462#M176683 <P>Thanks it is working. What I should do if I want to do this for multiple error messages along with the one i mentioned above. For example<BR /> Failed to create trade for ID 1234 <STRONG>124</STRONG> Failed to create for ID 3214 <STRONG>470</STRONG> </P> Tue, 20 Sep 2016 13:13:01 GMT https://community.splunk.com/t5/Splunk-Search/How-to-list-count-of-Error-messages/m-p/203462#M176683 AravindSridhara 2016-09-20T13:13:01Z https://community.splunk.com/t5/Splunk-Search/How-to-list-count-of-Error-messages/m-p/203463#M176684 <P>That's where the case statement in my answer is useful. Just add an entry to it for each message.</P> Tue, 20 Sep 2016 13:20:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-list-count-of-Error-messages/m-p/203463#M176684 richgalloway 2016-09-20T13:20:11Z https://community.splunk.com/t5/Splunk-Search/How-to-list-count-of-Error-messages/m-p/203464#M176685 <P>Yep in this case the answer of richgalloway is the more accurate. As I said. It only was quick and dirty.</P> Tue, 20 Sep 2016 13:56:14 GMT https://community.splunk.com/t5/Splunk-Search/How-to-list-count-of-Error-messages/m-p/203464#M176685 PPape 2016-09-20T13:56:14Z https://community.splunk.com/t5/Splunk-Search/How-to-list-count-of-Error-messages/m-p/203465#M176686 <P>Hi Richgalloway, this is not working even for the message you have provided. It is listing all the unable to create trade.</P> Wed, 21 Sep 2016 11:48:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-list-count-of-Error-messages/m-p/203465#M176686 AravindSridhara 2016-09-21T11:48:48Z https://community.splunk.com/t5/Splunk-Search/How-to-list-count-of-Error-messages/m-p/203466#M176687 <P>I used the wrong wildcard in the <CODE>match</CODE> command. The edited answer should work. Or you can use <CODE>like</CODE> as in PPape's answer.</P> Wed, 21 Sep 2016 12:00:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-list-count-of-Error-messages/m-p/203466#M176687 richgalloway 2016-09-21T12:00:31Z