Splunk Search

Displaying 2 counts (error and total)

shashankjuloori
New Member

There is a requirement in which i need to display total count and errors(in total count). error message is in raw text.

Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Vague questions beget vague answers. @woodcock has the general idea. We must leave it to you to figure out how to extract the error text from each message since we don't have enough information about the structure of the messages.

---
If this reply helps you, Karma would be appreciated.
0 Karma

woodcock
Esteemed Legend

Like this:

... | rex to create error_text
| stats dc(error_text) AS "error count" count AS "total count" by foundation
| eventstats sum('total count') AS "grand total count"
0 Karma

darrenfuller
Contributor

Hi shashankjuloori.

Not a lot to go on here. is the error message extracted in a field or only in _raw? Can you share an event or two of sample data to help out a bit|?

./d

0 Karma

shashankjuloori
New Member

error message has to be extracted from raw text. Then i need to display total events count and error events count.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Still not enough to work with. Please provide some sample events (mask private data) and desired output.

---
If this reply helps you, Karma would be appreciated.
0 Karma

shashankjuloori
New Member

field1= || field2= || field3= || message------------error text ----------/message
this is the error message structure.

here i need to separate the events which contains error text, suppose it to be errors and display both total count and error count.

0 Karma

to4kawa
Ultra Champion

we can extract error text and message
but, isn't these actual logs?

0 Karma

shashankjuloori
New Member

Sorry, i cant paste the logs due to security reasons.
Events are logged based on the field foundation, suppose A, B, C.
and logs will be like

index=* Foundation=A | field1 | field2| ...message......errortest.../message
index=* Foundation=A | field1 | field2| ...message......errortest.../message
index=* Foundation=B | field1 | field2| ...message......errortest.../message
index=* Foundation=C | field1 | field2| ...message......errortest.../message

here i need to segregate the events based on the error text and total count, and the output should be like

Foundation        |  error count   | total count
   A            count             count
   B            count             count
   C            count            count

and i am sorry for messing up the things.

0 Karma

woodcock
Esteemed Legend

I updated my vague answer.

0 Karma

shashankjuloori
New Member

Thanks for the help.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...