Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to group events with similar field value

deepaksn1214
Engager
‎04-14-2021 04:33 PM

I want to group events with similar pattern of error messages .  This is how the data looks like

Message|Count
Error replaying queued events: undefined                                                1
initConfig is missing!                                                                                           1
"Error loading https://www.example.com/123 timeTaken=1 ms"  1
"Error loading https://www.example.com/123 timeTaken=2 ms"  1

Expected Output
Message|Count
Error replaying queued events: undefined 1
initConfig is missing!                                            1
"Script Load Error"                                                2

This is the query i am using

 | eval Message.msg=case(like(Message.msg,"Error loading https://%"), "Script loading Error", 1=1, Message.msg) | stats count by Message.msg

Labels (1)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎04-14-2021 10:53 PM

@deepaksn1214 

Your existing Message.msg contains a quote before the Error, so you need to include that in the like statement

| eval Message.msg=case(like(Message.msg,"\"Error loading https://%"), "Script loading Error", 1=1, Message.msg) 
| stats count by Message.msg

 See the \" before the Error

Hope this helps

 

0 Karma
Reply

deepaksn1214
Engager
‎04-15-2021 12:28 AM

@bowesmana 

Thanks for looking into this. 

Tried it with the "\" and it dint work. 

I was trying different things , one thing I noticed is, if I change the field Message.msg in the like statement to a static string like "Error loading something" I get a single resultset. Do you think it has something to do ? 

This is the query I am using 

index="fe_logging" logType=ERROR userId=TrackStar | eval Message.msg=case(like(Message.msg,"\"Error loading%"), "Script loading Error") | stats count by Message.msg

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎04-16-2021 04:49 PM

When using field names in eval statements, that contain non standard characters, you need to surround your field name with single quotes

 

index="fe_logging" logType=ERROR userId=TrackStar 
| eval Message.msg=case(like('Message.msg',"\"Error loading%"), "Script loading Error")
| stats count by Message.msg

See the extra quotes surrounding 

 

'Message.msg'

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...