topic Re: Display specific field in log by count in Splunk Search

Display specific field in log by count

Bhavika — Mon, 01 Jul 2024 18:10:16 GMT

I want to write the query which will number of count the event occurred and time taken for that.

This is the log -

log: 2024-07-01 16:57:17.022 INFO 1 --- [nio-8080-exec-6] xyztask : FILE_TRANSFER | Data | LOGS | Fetched count:345243 time:102445ms

time: 2024-07-01T16:57:17.022583728Z

I want result like -

| count | time |

| 2528945 | 130444 |

Query that I am writing

base search | stats count by count | stats count by time | table count time

For stats count by count I am getting error -

Error in 'stats' command: The output field 'count' cannot have the same name as a group-by field

Query isn't right, correct solution would be helpful. Also tried different queries different ways.

Re: Display specific field in log by count

ITWhisperer — Mon, 01 Jul 2024 18:23:17 GMT

Is it just a case of extracting count and time from your event? If so, why are you using stats commands?

Re: Display specific field in log by count

Bhavika — Mon, 01 Jul 2024 18:26:00 GMT

@ITWhisperer Yes, just the extraction of count and time which is there in log. What is the correct way ? I am new to Splunk.

Re: Display specific field in log by count

ITWhisperer — Mon, 01 Jul 2024 18:54:19 GMT

Probably the simplest (assuming the event you posted is an accurate representation of your events) is to use rex to extract the fields.

| rex "count:(?<count>\d+) time:(?<time>\d+)ms"

Re: Display specific field in log by count

PickleRick — Mon, 01 Jul 2024 19:28:07 GMT

With stats command you can use the same field name in both the aggregation function (in your case you want a count of events which yields a field named just count) and the list of fields by which you split the results (in your case count is also a field name within the event.

You can walk around the problem by renaming the field. Like

| stats count as event_count by count

This way the count of events will not be named count in the results but will be named event_count whereas the field by which you split the results (which comes from your events) will stay named count. Yes, it's a tiny bit confusing.

Anyway, I don't see what's the relation between your data and your desired results. And your final table command is completely unnecessary at this point - your results will just contain table of fields count and time after the last stats command so the table command is not needed.

Re: Display specific field in log by count

Bhavika — Tue, 02 Jul 2024 03:23:22 GMT

This is generating logs and not the expected output.

Re: Display specific field in log by count

bowesmana — Tue, 02 Jul 2024 04:29:34 GMT

rex just extracts the fields, now add

| table count time

if you want each event listed with the count and time.

If you want some other representation of those values, please say what you want

Re: Display specific field in log by count

ITWhisperer — Tue, 02 Jul 2024 07:03:56 GMT

What is your full search?