Count of multiple unique events per field

larunrahul · ‎07-14-2024

Hi Folks,

I have two types of events that look like this

Type1:

TXN_ID=abcd inbound call INGRESS

Type2:

TXN_ID=abcd inbound call EGRESS

i want to find out how many events of each type per TXN_ID. If the counts per type don't match per TXN_ID, I want to out put that TXN_ID

I know that we can do stats count by TXN_ID. But how do so do that Per event type in same query?

Appreciate the help.

Thanks

tscroggins · ‎07-14-2024

Hi @larunrahul,

You can use the rex, chart, and where commands to extract the call type, summarize the events, and filter the results, respectively:

| makeresults format=csv data="_raw
TXN_ID=abcd inbound call INGRESS
TXN_ID=abcd inbound call EGRESS
TXN_ID=efgh inbound call INGRESS" 
| extract 
| rex "inbound call (?<call_type>[^\\s]+)" 
| chart count over TXN_ID by call_type 
| where INGRESS!=EGRESS

TXN_ID	EGRESS	INGRESS
efgh         0        1

I've used the extract command to automatically extract the TXN_ID field in the example, but if your events are already indexed, Splunk will have done that for you automatically.

Count of multiple unique events per field

count

stats

subsearch

transaction

Mastering Threat Hunting

Harnessing Splunk’s Federated Search for Amazon S3

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report