How to combine events which got generated in a spe...

kranthimutyala · ‎10-06-2022

Hi Team,

Im trying to combine events which are generated in a specific span of 1hr and show the count as 1 instead of the actual count. I tried with a bucket and its clubbing them the count is still not coming to 1.
Irrespective of how many events has been geenrated for a specific condition in a span of 1hr I want to keep it as count 1. Can someone help on how to achieve this .Thanks

ITWhisperer · ‎10-06-2022

Please share the search you have tried to solve this, preferably in a code block (use the </> formatting button)

kranthimutyala · ‎10-07-2022

index = abc Environment = "PROD" ProcessName = "*" LogType = "*" TaskName = "*Main*" (LogLevel=ERROR OR LogLevel=FATAL) | bucket _time span=2h |stats count by _time TaskName

ITWhisperer · ‎10-07-2022

Your stats command is counting the events in the pipeline and creating stats events - try counting these stats events with the same by clause

index = abc Environment = "PROD" ProcessName = "*"  LogType = "*" TaskName = "*Main*" (LogLevel=ERROR OR LogLevel=FATAL) | bucket _time span=2h |stats count by _time TaskName |stats count by _time TaskName

How to combine events which got generated in a specific span?

index

source

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Accelerating Observability as Code with the Splunk AI Assistant

Join the Conversation