- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Counting the occurence of a string in log file...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Counting the occurence of a string in log files
Hi this is my sample log file
[M2E-CSI]2013-06-11 01:19:40,924 PDT - Hydra is starting Control Channel
[M2E-CSI]2013-06-11 01:19:40,926 PDT - Error is adding AdapterJMS as Reconnectable
[M2E-CSI]2013-06-11 01:19:40,926 PDT - Error is adding AdapterJMS as Reconnectable
[M2E-CSI]2013-06-11 01:19:40,926 PDT - Error is adding AdapterJMS as Reconnectable
[M2E-CSI]2013-06-11 01:19:40,926 PDT - Error is adding AdapterJMS as Reconnectable
[M2E-CSI]2013-06-11 01:19:40,926 PDT - Error is adding AdapterJMS as Reconnectable
[M2E-CSI]2013-06-11 01:19:40,928 PDT - Error is adding AdapterJMS as Reconnectable
[M2E-CSI]2013-06-11 01:19:40,928 PDT - Error is adding AdapterJMS as Reconnectable
[M2E-CSI]2013-06-11 01:19:40,928 PDT - Error is adding AdapterJMS as Reconnectable
[M2E-CSI]2013-06-11 01:19:40,928 PDT - Error is adding AdapterJMS as Reconnectable
I need to count the occurrence of word "Error" in the above log file and display the count.
thanks in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As long as each file is a different source withing Splunk, you can:
your_search_for_files | eval has_error = if(match(_raw, "Error"),1,0)| stats sum(has_error) by source
If you want to get the number of Errors per transaction within a source, try this (UNIQ_ID_FIELD refers to the field with the individual transaction id in it):
your_search_for_files | eval has_error = if(match(_raw, "Error"),1,0)| transaction startswith="Start" endswith="Success" source | stats sum(has_error) by UNIQ_ID_FIELD
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your reply..
I am not the correct count of "error messages".
For example if the there are two to three "error messages" in the transaction , it will show the count as 1 only.......
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Thanks for your reply, however the full scenario is as below:
I have 5 files of the same sourcetype
In each file I have a string "Start" somewhere at the top, a string "Success" somewhere in the middle of the log file & finally a string "stop" at the end of the log file.
My intention is to count the total no. of "error messages" in each file between the "Start" & "Success" strings only. So the output I'd expect is:
file 1 3 errors
file 2 5 errors
file 3 1 error
file 4 7 errors
file 5 2 errors
I tried using transaction command for starts with & ends with strings however it does not return the count of error messages - only outputs "1" if error messages are present
Pls help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
source="source_name" "Error"|stats count
if its no separate event set props.conf
SHOULD_LINEMERGE=false
and start re-indexing your data/ use mvexpand command to get the fields separated as it will hard to find exact stats from a multivalued field.
Done!!
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
