Splunk Search

Count of multiple unique events per field

larunrahul
Observer

Hi Folks,

 

I have two types of events that look like this

Type1:

TXN_ID=abcd inbound call INGRESS

Type2:

TXN_ID=abcd inbound call EGRESS

 

i want to find out how many events of each type per TXN_ID. If the counts per type don't match per TXN_ID, I want to out put that TXN_ID

 

I know that we can do stats count by TXN_ID. But how do so do that Per event type in same query?

 

Appreciate the help.

 

Thanks

Labels (4)
0 Karma

tscroggins
Influencer

Hi @larunrahul,

You can use the rex, chart, and where commands to extract the call type, summarize the events, and filter the results, respectively:

| makeresults format=csv data="_raw
TXN_ID=abcd inbound call INGRESS
TXN_ID=abcd inbound call EGRESS
TXN_ID=efgh inbound call INGRESS" 
| extract 
| rex "inbound call (?<call_type>[^\\s]+)" 
| chart count over TXN_ID by call_type 
| where INGRESS!=EGRESS
TXN_ID	EGRESS	INGRESS
efgh         0        1

I've used the extract command to automatically extract the TXN_ID field in the example, but if your events are already indexed, Splunk will have done that for you automatically.

Get Updates on the Splunk Community!

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...