Solved: EventStats count Function

markthompson · ‎01-08-2015

Hello,
I'm looking to use the eventstats function to count the amount of times the word Error occurs in my event.

Can anyone help as it doesn't appear to work ?

tom_frotscher · ‎01-08-2015

Hi,

if you want to count the amount of times a word exists in a single event, i do not think eventstats can do it. You can use the stats commands for example to tell you how much events out of all your events contain the word "error".

But you can get what you want with a little combination of regex and eval. In the following run everywhere example, i counted the word hello in the field "text":

| stats count | eval text= "hello world hello my friends and so on hello." | rex field=text max_match=0 "(?<list>hello)" | eval amount=mvcount(list)

For your usecase you can change the field of the rex command to "_raw" (wich is also the default) and it should work.

Greetings

Tom

View solution in original post

fdi01 · ‎01-08-2015

       ...  "error"| eventstats count  as number_events_error | table number_events_error

markthompson · ‎01-08-2015

Hi fdi01,
We've tried this but it's not really working as we do other stuff above. Any other ideas?

tom_frotscher · ‎01-08-2015

Hi,

if you want to count the amount of times a word exists in a single event, i do not think eventstats can do it. You can use the stats commands for example to tell you how much events out of all your events contain the word "error".

But you can get what you want with a little combination of regex and eval. In the following run everywhere example, i counted the word hello in the field "text":

| stats count | eval text= "hello world hello my friends and so on hello." | rex field=text max_match=0 "(?<list>hello)" | eval amount=mvcount(list)

For your usecase you can change the field of the rex command to "_raw" (wich is also the default) and it should work.

Greetings

Tom

markthompson · ‎01-08-2015

Hi Tom,
We cannot use the stats as we want to table it later on, so we would need to use some sort of other combination.

Any ideas?

aweitzman · ‎01-08-2015

Tom's suggestion doesn't use stats. Starting a search with | stats count is just a way to create a sample without any real data. Replace Tom's | stats count with your actual search string, and remove his eval text= phrase, since your data already exists. The important part in his answer is the rex:

...your search... | rex field=_raw max_match=0 "(?<list>hello)" | eval amount=mvcount(list)

acharlieh · ‎01-08-2015

In this case, tom's use of stats count and the first eval are just to setup a dummy event for testing. He's suggesting that you use the following rex and eval

tom_frotscher · ‎01-08-2015

Correct, i edited it while you were writing this xD

tom_frotscher · ‎01-08-2015

Can you maybe post some sampledata and your search string? Because i do currently not understand why the solution should not be applicable.

If you mean because i used the stats command first, this is just to let my example run everywhere. You can also do this:

index=_internal sourcetype=splunkd | rex  max_match=0 "(?<list>size)" | eval amount=mvcount(list) | table _raw amount

Which counts the word "size" per event in your splunkd logs.

EventStats count Function

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies