I'd like to count the occurrences of a certain string for a specific server. Right now I'm using:
host="host.test.com" AND "Sent mail to" | stats count as Total
This returns the number of Events found. However, in some cases one event contains this string more than once and I'd like to count those as well.
How do I count the occurrences of that String rather than the number of events this String occurs in?
Try this
host="host.test.com" AND "Sent mail to" | rex field=_raw max_match=0 "(?P<SentMail>Sent mail to*)" | eval count=mvcount(SentMail) | stats sum(count) as Total
Try this
host="host.test.com" AND "Sent mail to" | rex field=_raw max_match=0 "(?P<SentMail>Sent mail to*)" | eval count=mvcount(SentMail) | stats sum(count) as Total
hey somesoni,
This query is working fine , can you tell me any other alternative to find events contain several occurrences string.
No, the format is as follows within a single event:
Sent mail to user1@mail.com (205ms)
Rendered user_mailer/email.html.erb (22.4ms)
Sent mail to user2@mail.com (196ms)
Rendered user_mailer/email.html.erb (22.4ms)
In this case I'd need to count this as two occurrences
Is there some kind of delimiter? because if there is, then you want to make a multivalue field and then create a field that holds the number of values... then you can sum on that field. If you show a few lines of the log, I can be more specific...