topic Re: EventStats count Function in Splunk Search

EventStats count Function

markthompson — Thu, 08 Jan 2015 12:57:13 GMT

Hello,
I'm looking to use the eventstats function to count the amount of times the word Error occurs in my event.

Can anyone help as it doesn't appear to work ?

Re: EventStats count Function

tom_frotscher — Thu, 08 Jan 2015 13:21:54 GMT

Hi,

if you want to count the amount of times a word exists in a single event, i do not think eventstats can do it. You can use the stats commands for example to tell you how much events out of all your events contain the word "error".

But you can get what you want with a little combination of regex and eval. In the following run everywhere example, i counted the word hello in the field "text":

| stats count | eval text= "hello world hello my friends and so on hello." | rex field=text max_match=0 "(?<list>hello)" | eval amount=mvcount(list)

For your usecase you can change the field of the rex command to "_raw" (wich is also the default) and it should work.

Greetings

Tom

Re: EventStats count Function

markthompson — Thu, 08 Jan 2015 13:26:01 GMT

Hi Tom,
We cannot use the stats as we want to table it later on, so we would need to use some sort of other combination.

Any ideas?

Re: EventStats count Function

fdi01 — Thu, 08 Jan 2015 13:28:55 GMT

       ...  "error"| eventstats count  as number_events_error | table number_events_error

Re: EventStats count Function

markthompson — Thu, 08 Jan 2015 13:36:20 GMT

Hi fdi01,
We've tried this but it's not really working as we do other stuff above. Any other ideas?

Re: EventStats count Function

tom_frotscher — Thu, 08 Jan 2015 13:39:30 GMT

Can you maybe post some sampledata and your search string? Because i do currently not understand why the solution should not be applicable.

If you mean because i used the stats command first, this is just to let my example run everywhere. You can also do this:

index=_internal sourcetype=splunkd | rex  max_match=0 "(?<list>size)" | eval amount=mvcount(list) | table _raw amount

Which counts the word "size" per event in your splunkd logs.

Re: EventStats count Function

acharlieh — Thu, 08 Jan 2015 13:42:59 GMT

In this case, tom's use of stats count and the first eval are just to setup a dummy event for testing. He's suggesting that you use the following rex and eval

Re: EventStats count Function

tom_frotscher — Thu, 08 Jan 2015 13:45:12 GMT

Correct, i edited it while you were writing this xD

Re: EventStats count Function

aweitzman — Thu, 08 Jan 2015 13:51:37 GMT

Tom's suggestion doesn't use stats. Starting a search with | stats count is just a way to create a sample without any real data. Replace Tom's | stats count with your actual search string, and remove his eval text= phrase, since your data already exists. The important part in his answer is the rex:

...your search... | rex field=_raw max_match=0 "(?<list>hello)" | eval amount=mvcount(list)