topic count message types by facility in Splunk Search

count message types by facility

technoe — Mon, 28 Sep 2020 15:50:50 GMT

I need to know when a particular facility isn't passing a message type(s). In Powershell it would be as easy as, foreach($facility in $facilities) find message_types...however, sense Splunk doesn't have a foreach command, I'm not sure how to do this. The index contains a field called facility and a field called message_type. Let me know if you need more info.

Thanks!

Re: count message types by facility

somesoni2 — Mon, 10 Feb 2014 18:43:46 GMT

Check splunk's map search command which provides foreach loop. Also, provide sample data/expected output.

Re: count message types by facility

technoe — Mon, 28 Sep 2020 15:50:56 GMT

Output should be a list of message_types per facility, including 0 count message_types ie:
message_type facilities count
type1 facility1 1
type2 3
type3 0

type1                      facility2                 2

etc....

Re: count message types by facility

theouhuios — Mon, 10 Feb 2014 18:52:14 GMT

Please try this |stats count by message_type,facilities

Re: count message types by facility

technoe — Mon, 10 Feb 2014 18:53:23 GMT

That doesn't show me 0 values though. I need to compare the index to a list of known message types.

Re: count message types by facility

technoe — Mon, 10 Feb 2014 18:57:12 GMT

Let me say this another way. I have a list of known message types and I need to know that each facility is processing each message type over a period of time, if the message type count is 0 I need to know that.

Re: count message types by facility

theouhuios — Mon, 10 Feb 2014 19:01:35 GMT

Is there any information in the data which says a particular messsage_type isn't working in a facility? If not, then you might have to use some other methods like Lookup table where you use your existing list with splunk returned results and then compare the values to get the final result.

Re: count message types by facility

technoe — Mon, 10 Feb 2014 19:02:45 GMT

I have a lookup file containing every file type but I don't know how to compare that to the results of the search.

Re: count message types by facility

somesoni2 — Mon, 10 Feb 2014 19:04:52 GMT

Try this

<your search providing list of message types (field coming here is message_type)> | join type=left max=0 message_type [search <your base search> | stats count by message_type, facilities] | fillnull count

Query updated to include max=0. try this one. Sample with considering you're using lookup table file.

 | lookup messagetypes.csv | fields message_type | join type=left max=0 message_type [search <your base search> | stats count by message_type, facilities] | fillnull count

Re: count message types by facility

technoe — Mon, 10 Feb 2014 19:10:45 GMT

That's really close. Unfortunately, it's only returning about 22 results. There should be hundreds.

Re: count message types by facility

somesoni2 — Mon, 10 Feb 2014 19:19:05 GMT

try the updated query.

Re: count message types by facility

technoe — Mon, 10 Feb 2014 19:35:01 GMT

That is it exactly! Thanks a ton. I've been working on this for a week straight.

Re: count message types by facility

uuppuluri_splun — Fri, 07 Mar 2014 21:41:07 GMT

Splunk has a foreach command
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Foreach