Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Counting the occurence of a string in log files

ncbshiva
Communicator
‎07-03-2013 01:01 AM

Hi this is my sample log file

[M2E-CSI]2013-06-11 01:19:40,924 PDT - Hydra is starting Control Channel
[M2E-CSI]2013-06-11 01:19:40,926 PDT - Error is adding AdapterJMS as Reconnectable
[M2E-CSI]2013-06-11 01:19:40,926 PDT - Error is adding AdapterJMS as Reconnectable
[M2E-CSI]2013-06-11 01:19:40,926 PDT - Error is adding AdapterJMS as Reconnectable
[M2E-CSI]2013-06-11 01:19:40,926 PDT - Error is adding AdapterJMS as Reconnectable
[M2E-CSI]2013-06-11 01:19:40,926 PDT - Error is adding AdapterJMS as Reconnectable
[M2E-CSI]2013-06-11 01:19:40,928 PDT - Error is adding AdapterJMS as Reconnectable
[M2E-CSI]2013-06-11 01:19:40,928 PDT - Error is adding AdapterJMS as Reconnectable
[M2E-CSI]2013-06-11 01:19:40,928 PDT - Error is adding AdapterJMS as Reconnectable
[M2E-CSI]2013-06-11 01:19:40,928 PDT - Error is adding AdapterJMS as Reconnectable

I need to count the occurrence of word "Error" in the above log file and display the count.

thanks in advance

Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎07-03-2013 05:08 AM

As long as each file is a different source withing Splunk, you can:

your_search_for_files | eval has_error = if(match(_raw, "Error"),1,0)| stats sum(has_error) by source

If you want to get the number of Errors per transaction within a source, try this (UNIQ_ID_FIELD refers to the field with the individual transaction id in it):

your_search_for_files | eval has_error = if(match(_raw, "Error"),1,0)| transaction startswith="Start" endswith="Success" source | stats sum(has_error) by UNIQ_ID_FIELD

Reply

shri_27
Path Finder
‎07-03-2013 05:52 AM

Thanks for your reply..
I am not the correct count of "error messages".
For example if the there are two to three "error messages" in the transaction , it will show the count as 1 only.......

0 Karma
Reply

shri_27
Path Finder
‎07-03-2013 03:40 AM

Hi Thanks for your reply, however the full scenario is as below:
I have 5 files of the same sourcetype
In each file I have a string "Start" somewhere at the top, a string "Success" somewhere in the middle of the log file & finally a string "stop" at the end of the log file.

My intention is to count the total no. of "error messages" in each file between the "Start" & "Success" strings only. So the output I'd expect is:

file 1 3 errors
file 2 5 errors
file 3 1 error
file 4 7 errors
file 5 2 errors

I tried using transaction command for starts with & ends with strings however it does not return the count of error messages - only outputs "1" if error messages are present

Pls help

0 Karma
Reply

linu1988
Champion
‎07-03-2013 02:56 AM

source="source_name" "Error"|stats count

if its no separate event set props.conf
SHOULD_LINEMERGE=false
and start re-indexing your data/ use mvexpand command to get the fields separated as it will hard to find exact stats from a multivalued field.

Done!!

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...