Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Count total of 2 search terms and print unique results

nishil
New Member
‎08-01-2011 06:14 AM

Hi! I'm pretty new to splunk and i'm trying to figure out how to:
1. Search for 2 different strings (dealswidget OR hotelquerywidget)
2. then total the occurences of the 2 strings
3. print the result for each of the strings

Can anyone help please?

The lines in the logs appear as:

10.186.198.6 - - [29/Jul/2011:00:03:08 -0500] "GET /js/lib/jquery-1.5.js HTTP/1.0" 200 211978 "http://partners.hotels.com/hotelquerywidget/1/1/HCOM_ES-es_ES/hotelquerywidget.html" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30" "5DC1789408E34ECF1A8F25E521617E9D.ut03hap01"

10.186.198.6 - - [29/Jul/2011:00:09:04 -0500] "GET /styles/widget/hcom.external.common.css HTTP/1.1" 200 4255 "http://partners.hotels.com/dealswidget/1/2/1633826/HCOM_NO-no_NO/widget.html" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30" "3EDEC4AAE25F8C92260C2132409F54BC.ut03hap01"

Tags (2)
0 Karma
Reply

nishil
New Member
‎08-02-2011 03:15 AM

Joetron's solution works - many thanks.
It displays a count of the 2 strings i searched for. But how do i include the actual log lines in the results?

0 Karma
Reply

Ayn
Legend
‎08-02-2011 03:21 AM

add values(_raw) in your stats command, like: "| stats count,values(_raw) by yourextractedfield"

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎08-01-2011 07:10 AM

A quick and dirty way is:

"dealswidget" OR "hotelquerywidget" 
| rex "(?<myword>dealswidget|hotelquerywidget)"
| stats count by myword

Although you don't specify how to count if both words appear in an event, or if one word appears more than once.

Reply

RicoSuave
Builder
‎08-01-2011 06:51 AM

I would first setup some type of field extraction for the webpage you are looking to report on. Then just run your search as follows

index=myindex yourextractedfield=dealswidget OR yourextractedfield=hotelquerywidget | stats count by yourextractedfield

0 Karma
Reply
Get Updates on the Splunk Community!

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...

4 Ways the Splunk Community Helps You Prepare for .conf25

.conf25 is right around the corner, and whether you’re a first-time attendee or a seasoned Splunker, the ...

Enhance Your Splunk App Development: New Tools & Support

UCC FrameworkAdd-on Builder has been around for quite some time. It helps build Splunk apps faster, but it ...