Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Count with few eval and timechart

michalmartofel
Observer
‎07-21-2021 03:38 AM

Hi,

i have a problem with a few queries. I have something actually like this:

 

 

index = nsw_prod_eximee ERROR 
| rex field=formInstanceNumber (?<pref>\w{3})\d{9} 
| rex field=applicationNumber (?<pref>\w{3})\d{9} 
| eval "Name" = case(pref=="USP", "mProtection", pref=="FGT", "mTravel", pref=="FGH", "HouseHold", pref=="FGS", "mMoto") 
| stats count as formInstanceNumber by "Name" 
| rename formInstanceNumber as "Errors"

 

 

And i have a table with a 4 values:

michalmartofel_1-1626863691530.png

But now i have a problem to count a column "Errors". I want to count all Errors.

 

2. The second problem i have, i can't do the timechart and i need help with it. I want to do timechart with that all values, but when i do that, there is no columns on timechart. How to get that query?

 

Thanks in advance.

Labels (3)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-21-2021 03:56 AM

What do you mean count errors - the sum of the values in the errors column or the number of rows?

For a timechart, you need a _time field - this is not carried forward by the stats command (unless you say that it should be, and in this case you might want to bin _time into spans of time before you do the stats).

0 Karma
Reply

michalmartofel
Observer
‎07-21-2021 04:04 AM

1. Yes, excatly, i need the sum of the values in the errors column.

2. About timechart.. Actually i have a timechart with one product with query:

index = nsw_prod_eximee ERROR | regex _raw="[F][G][S]\d{9}" | dedup formInstanceNumber | timechart count by dc(formInstanceNumber OR applicationNumber) where count in top99

But now i want to have all products which have different regex (FGS, FGH, FGT, USP) and different field to dedup (with FGS and FGH i need to dedup variable formInstanceNumber, for USP and FGT it's applicationNumber). 

For one product it's okey, but how to connect all that regexes with dedups in timechart. That's my question.

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...