Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Displaying 2 counts (error and total)

shashankjuloori
New Member
‎03-24-2020 10:27 AM

There is a requirement in which i need to display total count and errors(in total count). error message is in raw text.

Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-25-2020 05:48 AM

Vague questions beget vague answers. @woodcock has the general idea. We must leave it to you to figure out how to extract the error text from each message since we don't have enough information about the structure of the messages.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

woodcock
Esteemed Legend
‎03-24-2020 04:30 PM

Like this:

... | rex to create error_text
| stats dc(error_text) AS "error count" count AS "total count" by foundation
| eventstats sum('total count') AS "grand total count"
0 Karma
Reply

darrenfuller
Contributor
‎03-24-2020 11:30 AM

Hi shashankjuloori.

Not a lot to go on here. is the error message extracted in a field or only in _raw? Can you share an event or two of sample data to help out a bit|?

./d

0 Karma
Reply

shashankjuloori
New Member
‎03-24-2020 11:44 AM

error message has to be extracted from raw text. Then i need to display total events count and error events count.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-24-2020 12:09 PM

Still not enough to work with. Please provide some sample events (mask private data) and desired output.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

shashankjuloori
New Member
‎03-24-2020 12:21 PM

field1= || field2= || field3= || message------------error text ----------/message
this is the error message structure.

here i need to separate the events which contains error text, suppose it to be errors and display both total count and error count.

0 Karma
Reply

to4kawa
Ultra Champion
‎03-24-2020 02:24 PM

we can extract error text and message
but, isn't these actual logs?

0 Karma
Reply

shashankjuloori
New Member
‎03-25-2020 03:39 AM

Sorry, i cant paste the logs due to security reasons.
Events are logged based on the field foundation, suppose A, B, C.
and logs will be like

index=* Foundation=A | field1 | field2| ...message......errortest.../message
index=* Foundation=A | field1 | field2| ...message......errortest.../message
index=* Foundation=B | field1 | field2| ...message......errortest.../message
index=* Foundation=C | field1 | field2| ...message......errortest.../message

here i need to segregate the events based on the error text and total count, and the output should be like

Foundation        |  error count   | total count
   A            count             count
   B            count             count
   C            count            count

and i am sorry for messing up the things.

0 Karma
Reply

woodcock
Esteemed Legend
‎03-25-2020 07:14 AM

I updated my vague answer.

0 Karma
Reply

shashankjuloori
New Member
‎03-25-2020 07:16 AM

Thanks for the help.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...