Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Count number of events before Debup

vkakani60
Path Finder
‎08-13-2016 04:05 PM

Is there any way to save the count of the events before doing the dedup ?

This is my query

index="webapplication_logs" sourcetype="error_log" | rex field=_raw "Severity:\s (?<Severity>.+)" | search Severity = Error

This query lists all my Severity=Error events (i.e, total:3 events in the last 10minutes custom timeframe)

  ....................
 Date: [07/Mar/2004:16:04:49 -0800] 
 IP: ipaddress
 Method: "GET /topicparent=Main.ConfigurationVariables HTTP/1.1"
 Response: 401
 Type: Info
 Severity: Error
 ....................

 ....................
 Date: [07/Mar/2004:16:05:49 -0800] 
 IP: ipaddress
 Method: "GET /topicparent=Main.ConfigurationVariables HTTP/1.1"
 Response: 401
 Type: Info
 Severity: Error
 ....................

 ....................
 Date: [07/Mar/2004:16:07:49 -0800] 
 IP: ipaddress
 Method: "GET /topicparent=Main.ConfigurationVariables HTTP/1.1"
 Response: 401
 Type: Info
 Severity: Error
 ....................

Now I used Dedup to show only one result in the last 10minutes timeframe.

index="webapplication_logs" sourcetype="error_log" | rex field=_raw "Severity:\s (?<Severity>.+)" | search Severity = Error |  dedup Severity

 OUTPUT
  ....................
  Date: [07/Mar/2004:16:07:49 -0800] 
  IP: ipaddress
  Method: "GET /topicparent=Main.ConfigurationVariables HTTP/1.1"
  Response: 401
  Type: Info
  Severity: Error
  ....................

But I want to show the total error events count (i.e 3 events) in the output or either count saved in the field.
I have tried the eval command to save the count, but field value count shows 1 after using dedup (skipped this method).

| eval tcount = mvcount(Severity)

Then I have used stats command which counts the events but doesn't show the raw event.

 | stats count by Severity

alt text

I have included the _raw with the stats command but COUNT didn't work may because the _raw event timestamp is different. 

 | stats count by Severity, _raw

 OUTPUT
Severity      Count         _raw  
Error            1            event
Error            1            event
Error            1            event

But how to show the count of the events as well as the 1 similar error event ?. 

 DESIRED OUTPUT
Severity      Count         _raw  
Error            3            event

OR any other methods to save the events count before dedup ?

Preview file
1 KB
0 Karma
Reply

woodcock
Esteemed Legend
‎11-02-2016 11:44 AM

Several working answers have been given; you should pick the best one and click "Accept" to close the question.

0 Karma
Reply

woodcock
Esteemed Legend
‎08-15-2016 08:44 AM

You can do this with eventstats like this:

Your first search | eventstats count AS b4dedup | dedup Some Fields Here | eventstats count as afterdedup | extra_events = b4dedup - afterdedup
Reply

Runals
Motivator
‎08-14-2016 04:03 PM

So I would do something like this. Hopefully you and/or your Splunk admin can eventually bake in the field extractions. To me what would be interesting is the number of errors per Method (url/resource really) and how many unique IPs tried to access whatever it was. Given the sourcetype name is there anything other than 'error' Severity logs? If not or you are specifically interested in those I'd search on that before the first pipe /shrug. You could put all of your field extractions in one rex but for visual parsing I'll break them up as well. On the Method line extraction you will likely need a total of 3 backslashes. I'm not using the method field but you might as well extract it at some point.

index="webapplication_logs" sourcetype="error_log" "severity: error" | rex "Severity:\s (?<Severity>.+)" | rex "IP: (?<src_ip>\S+)" | rex "Method: \"(?<method>\S+)\s(?<url>\S+)"  | stats dc(src_ip) as IPs count as totalEvents by Severity url

Or if you want to get a breakdown of counts per IP / url something like

index="webapplication_logs" sourcetype="error_log" "severity: error" | rex "Severity:\s (?<Severity>.+)" | rex "IP: (?<src_ip>\S+)" | rex "Method: \"(?<method>\S+)\s(?<url>\S+)" | stats count by Severity url src_ip | sort -count | stats sum(count) as totalEvents list(src_ip) as IPs list(count) as attempts by Severity url
0 Karma
Reply

sundareshr
Legend
‎08-13-2016 04:39 PM

Something like this should work

 index="webapplication_logs" sourcetype="error_log" | rex field=_raw "Severity:\s (?<Severity>.+)" | search Severity = Error | stats count as totalCount values(_raw) as _raw by Severity

*OR*

 index="webapplication_logs" sourcetype="error_log" | rex field=_raw "Severity:\s (?<Severity>.+)" | search Severity = Error | stats count as totalCount latest(_raw) as _raw by Severity
0 Karma
Reply
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...