Solved: Events contain several occurrences of search strin...

smiehe · ‎05-15-2014

I'd like to count the occurrences of a certain string for a specific server. Right now I'm using:

host="host.test.com" AND "Sent mail to" | stats count as Total

This returns the number of Events found. However, in some cases one event contains this string more than once and I'd like to count those as well.

How do I count the occurrences of that String rather than the number of events this String occurs in?

somesoni2 · ‎05-15-2014

Try this

host="host.test.com" AND "Sent mail to" | rex field=_raw max_match=0 "(?P<SentMail>Sent mail to*)" | eval count=mvcount(SentMail) | stats sum(count) as Total

View solution in original post

somesoni2 · ‎05-15-2014

Try this

host="host.test.com" AND "Sent mail to" | rex field=_raw max_match=0 "(?P<SentMail>Sent mail to*)" | eval count=mvcount(SentMail) | stats sum(count) as Total

erritesh17 · ‎03-25-2016

hey somesoni,

This query is working fine , can you tell me any other alternative to find events contain several occurrences string.

smiehe · ‎05-15-2014

No, the format is as follows within a single event:

Sent mail to user1@mail.com (205ms)
Rendered user_mailer/email.html.erb (22.4ms)
Sent mail to user2@mail.com (196ms)
Rendered user_mailer/email.html.erb (22.4ms)

In this case I'd need to count this as two occurrences

rsennett_splunk · ‎05-15-2014

Is there some kind of delimiter? because if there is, then you want to make a multivalue field and then create a field that holds the number of values... then you can sum on that field. If you show a few lines of the log, I can be more specific...

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

Events contain several occurrences of search string

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life