How to combine events which got generated in a spe...

kranthimutyala · ‎10-06-2022

Hi Team,

Im trying to combine events which are generated in a specific span of 1hr and show the count as 1 instead of the actual count. I tried with a bucket and its clubbing them the count is still not coming to 1.
Irrespective of how many events has been geenrated for a specific condition in a span of 1hr I want to keep it as count 1. Can someone help on how to achieve this .Thanks

ITWhisperer · ‎10-06-2022

Please share the search you have tried to solve this, preferably in a code block (use the </> formatting button)

kranthimutyala · ‎10-07-2022

index = abc Environment = "PROD" ProcessName = "*" LogType = "*" TaskName = "*Main*" (LogLevel=ERROR OR LogLevel=FATAL) | bucket _time span=2h |stats count by _time TaskName

ITWhisperer · ‎10-07-2022

Your stats command is counting the events in the pipeline and creating stats events - try counting these stats events with the same by clause

index = abc Environment = "PROD" ProcessName = "*"  LogType = "*" TaskName = "*Main*" (LogLevel=ERROR OR LogLevel=FATAL) | bucket _time span=2h |stats count by _time TaskName |stats count by _time TaskName

How to combine events which got generated in a specific span?

index

source

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

Join the Conversation