Re: Get New event and it's count

patelbhavin2426 · ‎11-29-2021

I want to simply get new exceptions that occur within last 30 minutes which did not happened anytime last week on the same day.

I have this query to get exceptions for last weekday.

earliest=-7d@d latest=-6d@d index=production "java.lang.NullPointerException*" | stats count by field6

Which gives me result ::

abcd.handler.CreateBankHandler	26
abcd.cr.RequestProcessor	34
abcd.cr.SessionInfo	1
abcd.cr.SSOServlet	2
abcd.impl.ExportManagerImpl	1
abcd.impl.ImportFileProcessor	1

The second query

earliest=-1d@d latest=now index=production  "java.lang.NullPointerException*" | stats count by field6

Which gives me result ::

abcd.handler.CreateBankHandler	27
abcd.cr.RequestProcessor	7
abcd.cr.SessionInfo	1
abcd.cr.BaseServlet	6
abcd.cr.SSOServlet

So, the result should be new events from the second query.

Name ::

abcd.cr.BaseServlet

ITWhisperer · ‎11-29-2021

earliest=-7d@d latest=-6d@d index=production "java.lang.NullPointerException*" | stats count by field6
| eval count=2
| append
  [ search earliest=-30m@m latest=now index=production "java.lang.NullPointerException*" | stats count by field6
  | eval count=1]
| stats sum(count) as count by field6
| where count=1

Get New event and it's count

join

metadata

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2