Archive

Linecount issue when searching logs

Builder

I have a question regarding a search I am trying to compose.

Here is a snipped from the logs:

Tue Jan 18 13:50:01 UTC 2011
/opt/OXRS/blahblahblah/oxrs-flex/rpt
threshold check query succeeded at /opt/OXRS/INFO-CRON/oxrs-flex/rpt/rpt_send_notification_email.pl line 65.
Log DB handle successfully connected
send_to_email [support@dnottellingyou.com]
Inserting a record into the notification table
send_to_email [billing@nopetryagain.com]
Inserting a record into the notification table
send_to_email [heynow@heynow.com]
Inserting a record into the notification table
All done!

so, all i want out of this log is to know every time that send_to_email is printed in this logs. that indicates an email went out. I eventually want to get a count of all the emails went out, so counting send_to_email is the best option. So far my search looks like this:

sourcetype="Cron_SendNotificationEmail" source="*info*" starthoursago="24" send_to_email:

I have tried using the field extractor to make send_to_email a field, but it did not work out as expected. I also tried making this an eventtype. I was able to make send_to_email an eventtype so I could use it for searching, but then I noticed something.

LINECOUNT! I'm having issue with the linecount. Meaning, splunk will find a log entry and only count finding send_to_email ONCE when right there in front of you in black and white you clearly see send_to_email 3 TIMES....but splunk only counts it as one "event"

Case in point the example above splunk only sees as 1 event and only counts send_to_email once, not 3 times...

How on earth do I fix this? Do I have to use props.conf?

0 Karma
1 Solution

Splunk Employee
Splunk Employee

Sure, try this:

sourcetype="Cron_SendNotificationEmail" source="*info*" starthoursago="24" | rex max_match=10 "send_to_email \[(?P<send_to_email>\S+)\]"

If you want to match more than 10, just increase the max_match value.

Hope that helps.

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

Sure, try this:

sourcetype="Cron_SendNotificationEmail" source="*info*" starthoursago="24" | rex max_match=10 "send_to_email \[(?P<send_to_email>\S+)\]"

If you want to match more than 10, just increase the max_match value.

Hope that helps.

View solution in original post

0 Karma