- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Count of multiple unique events per field
larunrahul
Observer
07-14-2024
05:20 AM
Hi Folks,
I have two types of events that look like this
Type1:
TXN_ID=abcd inbound call INGRESS
Type2:
TXN_ID=abcd inbound call EGRESS
i want to find out how many events of each type per TXN_ID. If the counts per type don't match per TXN_ID, I want to out put that TXN_ID
I know that we can do stats count by TXN_ID. But how do so do that Per event type in same query?
Appreciate the help.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tscroggins
Influencer
07-14-2024
07:39 AM
Hi @larunrahul,
You can use the rex, chart, and where commands to extract the call type, summarize the events, and filter the results, respectively:
| makeresults format=csv data="_raw
TXN_ID=abcd inbound call INGRESS
TXN_ID=abcd inbound call EGRESS
TXN_ID=efgh inbound call INGRESS"
| extract
| rex "inbound call (?<call_type>[^\\s]+)"
| chart count over TXN_ID by call_type
| where INGRESS!=EGRESSTXN_ID EGRESS INGRESS
efgh 0 1I've used the extract command to automatically extract the TXN_ID field in the example, but if your events are already indexed, Splunk will have done that for you automatically.
