Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Count occurrences of string and put them in table row wise?

Vivekmishra01
Explorer
‎01-10-2023 07:14 AM

I am trying to find few strings in my search query and count occurrences of them and I want to put them in a two column table. I am able to do it with stat command, but it's coming like string as column name and count in the row bwlow. Below is what I am using and what I ma getting.

 

 

 

index=<index> <search String > "Failed" | stats count AS Failed count(eval(searchmatch("Failed Acknowledged"))) AS "Failed Acknowledged" count(eval(searchmatch("UnexpectedException Caught"))) AS "UnexpectedException Caught" count(eval(searchmatch("NonRetryableException Caught"))) AS "NonRetryableException Caught"

 

 

 

However I want a result like below.

Vivekmishra01_0-1673363523720.png

Can anyone help? Thanks in advance.

Labels (3)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

GaetanVP
Contributor
‎01-10-2023 07:46 AM

Hello ! 

You could try this :

<your search> | transpose 0 column_name="Message" | rename "row 1" as Count

 

Good luck!

View solution in original post

Reply
Solved! Jump to solution

FelixLeh
Contributor
‎01-10-2023 08:15 AM

Hi!
Is this accomplishing what you are looking for? (I assume you are working with untransformed Events here)

 

index=<index> <search String > "Failed" 
| eval Message = case(like(_raw,"%Failed Acknowledged%"),"Failed Acknowledged",like(_raw,"%UnexpectedException Caught%"),"UnexpectedException Caught",like(_raw,"%NonRetryableException Caught%"),"NonRetryableException Caught",true(),NULL)
| stats count by Message

 

 If you want to add a line that sums up the total amount of events you can add the following:

 

| addtotals fieldname=count col=t labelfield=Message

 

0 Karma
Reply
Solved! Jump to solution
Solution

GaetanVP
Contributor
‎01-10-2023 07:46 AM

Hello ! 

You could try this :

<your search> | transpose 0 column_name="Message" | rename "row 1" as Count

 

Good luck!

Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...