topic Re: Iterate through the results of a query in Splunk Search

Iterate through the results of a query

DJPillowhead — Mon, 16 Feb 2015 10:48:03 GMT

Hi All,

I have a query that gives me a result in a name value format in a table.
Basically I work with log lines and I'm counting how many times one field has a discreet value.

Log lines can be e.g.:

errorid=1 hostname=a value=1
errorid=1 hostname=b value=3
errorid=1 hostname=a value=2
errorid=1 hostname=c value=1
errorid=2 hostname=c value=1

I'm able to create a query like:

errorid=*| stats count(eval(errorid='1') by hostname as Host

errorid=* | stats count(eval(errorid='1') by value as Value

But what I'd need that get the result from the first query and run the second against that subset.
So I'd like to find out that how many error messages have value X on a given host and get this for all hosts that appear in these kind of messages.

Any ideas?

Re: Iterate through the results of a query

cchitten — Mon, 16 Feb 2015 11:09:43 GMT

does this work:

errorid=1 | stats count by hostname

Re: Iterate through the results of a query

DJPillowhead — Mon, 16 Feb 2015 11:37:43 GMT

Thanks, but that's written there in my question. I'd like to have a result that shows how many errors came with hostname "somehing" AND on a third column, how much of these had value x.

Re: Iterate through the results of a query

cchitten — Mon, 16 Feb 2015 12:08:43 GMT

you wrote "how many error messages have value 1" not value X. And your searches weren't even using the right field names. Thats where i thought you were going wrong.

You could simply use a subsearch:

 index=* [search index=* errorid=1 | table errorid] | stats count, dc(errorid), values(errorid) by hostname

Re: Iterate through the results of a query

Runals — Mon, 16 Feb 2015 12:28:28 GMT

With your interaction with cchitten I'm not really sure what you are asking. Have you tried

errorid=* | stats count by hostname errorid value | sort hostname errorid

That will give you the individual counts of unique events. You could then do additional stats or eventstats commands if you wanted to find other pieces of summary data. I guess if that doesn't help I'd suggest posting an example of hoped for outcome.

Re: Iterate through the results of a query

DJPillowhead — Mon, 16 Feb 2015 13:05:23 GMT

Thanks for your answer, I've made my initial question more straightforward.

Re: Iterate through the results of a query

DJPillowhead — Mon, 16 Feb 2015 13:08:03 GMT

Output should be a table something like:

errorid | hostname | count
1 | a | 5
1 | b | 2
1 | c | 4
2 | a | 5

Re: Iterate through the results of a query

Runals — Mon, 16 Feb 2015 13:27:39 GMT

easy then - just a stats count by errorid hostname. Again though assuming you aren't wanting to do something with the field "value". Of course you could get all fancy and do something like

... | stats count by error hostname value | sort hostname | stats sum(count) as total_events list(hostname) as hostname list(value) as value by error

Since you seem to be interested in the error messages. If you wanted to focus more on the errors from a particular host you could reverse that to

... | stats count by error hostname value | sort hostname | stats sum(count) as total_events list(error) as error list(value) as value by hostname

Of course I'm partial to that sort of formatting but it doesn't translate well to PDF or csv output.