Splunk Search

Count and chart two different queries

zebulajams
Explorer

Hey all,

Newbie here learning Splunk. I'm starting to get into dashboards and want to create either a pie chart or just a simple count of how many times a certain string occurs in a log file.

| stats count("no phase found for entry") count("no work order found")

This returns two columns but they both have 0 in them. But if I just search for each string individually or with an OR statement, it returns all entries (which is around 118 combined).

I've been reading through the Splunk Documentation on stats but can't seem to find an answer on how to combine two counts of anything.

Any help is appreciated!

Labels (2)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Give this a try

Your base search
| stats count(eval(searchmatch("no phase found for entry"))) as count_no_phase count(eval(searchmatch("no work order found"))) as count_no_order

View solution in original post

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a try

Your base search
| stats count(eval(searchmatch("no phase found for entry"))) as count_no_phase count(eval(searchmatch("no work order found"))) as count_no_order
0 Karma

zebulajams
Explorer

That worked, but I think I discovered a fundamental problem with my search.

As I said, I'm really new to Splunk and didn't know I needed a search at the beginning before I did the stats command. What I did was:

 

"no phase found for entry" OR "no work order found" | stats count(eval(searchmatch("no phase found for entry"))) AS count_no_phase count(eval(searchmatch("no work order found"))) AS count_no_order

 

Before the pipe command, can I just search for anything? Or does it have to match exactly what I'm looking for in the searchmatch?

EDIT: Also, it doesn't look like I can plot these results (50 for count_no_phase & 2 for count_no_order) on something like a pie chart after running that search. It splits them into a table format, but I'm not so sure how to get it onto a pie or line chart.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

The stats count function is counting events in the pipeline. You can affect which ones are counted a number of way. One way might be to count whether a condition is true. For example:

| eval no_phase=if(match(_raw,"no phase found for entry"),1,0)
| eval no_work_order=if(match(_raw,"no phase found for entry"),1,0)
| stats sum(no_phase) as no_phase sum(no_work_order) as no_work_order
0 Karma

zebulajams
Explorer

Hmm. That didn't seem to work. All it returns is:

No results found. Try expanding the time range.

I expanded to the last 7 days to make sure and it still didn't find anything. I also just tried doing

| eval no_phase=if(match(_raw,"no phase found for entry"),1,0) | stats sum(no_phase) AS phase

This also did not return any results.

Any other ideas?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Can you share some of the events you are working with?

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...