topic Re: How to count events from a same file with having two different raw text ? in Splunk Search

How to count events from a same file with having two different raw text ?

m7787580 — Mon, 08 Jan 2018 15:43:08 GMT

Hi Splunker,

I have to count success and failure count from the same index and sourcetype on the basis of raw text in an event.
Only difference is that for success raw text is different and for failure raw text is different.

I have used below logic to find count of success and failure but this query is taking loads of time to execute.

Please remember these strings present below are not any field in Splunk it's a simple text on the basis of that i need to filter and count.

Could you please suggest me some other way by which i can execute this query faster.

index=Only_prod host=winter-p*-1 sourcetype="Season.log"
(Incoming OR Outgoing)
NOT ("Some String One" ) ("Some String Two" OR "Some String Three" OR "Some String Four")
|stats count as Error

|Join serviceName type=outer [
search index=Only_prod host=winter-p*-1 sourcetype="Season.log"
(Incoming OR Outgoing)
NOT ("Some String Five" ) ("Some String Seven" OR "Some String Six" OR "Some String Eight")
| stats count as Successes ]

Thanks in Advance
Regards,

Re: How to count events from a same file with having two different raw text ?

somesoni2 — Mon, 08 Jan 2018 15:50:59 GMT

Give this a try.

index=Only_prod host=winter-p*-1 sourcetype="Season.log"
(Incoming OR Outgoing) 
(NOT ("Some String One" ) ("Some String Two" OR "Some String Three" OR "Some String Four")) OR NOT ("Some String Five" ) ("Some String Seven" OR "Some String Six" OR "Some String Eight")
| eval Success=if(searchmatch("NOT (\"Some String One\" ) (\"Some String Two\" OR \"Some String Three\" OR \"Some String Four\""),1,0) | eval Error=abs(Success-1)
|stats sum(Error) as Errors sum(Success) as Successes

Re: How to count events from a same file with having two different raw text ?

gcusello — Mon, 08 Jan 2018 15:57:38 GMT

Hi m7787580,
try something like this:

(index=Only_prod host=winter-p*-1 sourcetype="Season.log" (Incoming OR Outgoing) NOT ("Some String One" ) ("Some String Two" OR "Some String Three" OR "Some String Four")) OR (index=Only_prod host=winter-p*-1 sourcetype="Season.log" (Incoming OR Outgoing) NOT ("Some String Five" ) ("Some String Seven" OR "Some String Six" OR "Some String Eight"))
| eval status=case(searchmatch("Some String Two"),"Error",searchmatch("Some String Three"),"Error",searchmatch("Some String Four"),"Error",searchmatch("Some String Seven"),"Success",searchmatch("Some String Six"),"Success",searchmatch("Some String Eight"),"Success")
| stats count BY status

In few words: put in OR both your searches and, using eval, give a status to each event, then you can use stats command.

Bye.
Giuseppe