Splunk Search

Counting occurences of 5 specific strings in logs

AshimaE
Explorer

For a given sourcetype=src I have to search for five specific strings (let it be "abc", "def", "ghi", "jkl", "mno") occuring in the log and give the counts of each of these strings for every 10 minutes.

I had thought of doing it using join after calculating counts for each separately. Is there any better way of doing it since the sourcetype is the same.
For each individual 1 I had planned to use the query
index=cm sourcetype=src "abc"| timechart span=10m count |join _time [....]

Tags (1)
0 Karma
1 Solution

niketn
Legend

@AshimaE, If the strings are not already extracted as fields you can use searchmatch eval function to count the same.

index=cm sourcetype=src ("abc"  OR "def" OR "ghi" OR "jkl" OR "mno")
| timechart span=10m count(eval(searchmatch("abc"))) as "abc" count(eval(searchmatch("def"))) as "def" count(eval(searchmatch("ghi"))) as "ghi" count(eval(searchmatch("jkl"))) as "jkl" count(eval(searchmatch("mno"))) as "mno"

Since you are currently doing/planning this with join I am expecting events are not overlapping, i.e. event with "abc" will not have "def" and so on. If it does there will be different approach required. Please try out and confirm.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

@AshimaE, If the strings are not already extracted as fields you can use searchmatch eval function to count the same.

index=cm sourcetype=src ("abc"  OR "def" OR "ghi" OR "jkl" OR "mno")
| timechart span=10m count(eval(searchmatch("abc"))) as "abc" count(eval(searchmatch("def"))) as "def" count(eval(searchmatch("ghi"))) as "ghi" count(eval(searchmatch("jkl"))) as "jkl" count(eval(searchmatch("mno"))) as "mno"

Since you are currently doing/planning this with join I am expecting events are not overlapping, i.e. event with "abc" will not have "def" and so on. If it does there will be different approach required. Please try out and confirm.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

AshimaE
Explorer

Yes they do not overlap so this approach works good with my purpose. Thanks a lot @niketnilay

0 Karma

niketn
Legend

Glad it worked!!! 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

adonio
Ultra Champion

up-voting, i learned something new today!
thanks @niketnilay

0 Karma

niketn
Legend

@adonio, we all learn from each other. Your immaculate answers are always worth reading and most of the time I go BINGO, that is how it is done 🙂 Thanks!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...