Re: Get different message Counts from the same fie...

Murali51 · ‎03-06-2021

Hello @richgalloway , I am asking your help again to get counts for below messages. I tried the same instruction but unable to get counts. From below messages get counts depends and message value. Your help would be highly appreciated.

Consider message which ends with To Report. and get counts.

message contains "Parker could not be processed" - Failure count

message contains "Parker successfully issued" - Success Count

message contains "System exception.Parker Exception Occurred " - System exception Count

if message has Any other message : Partial Success

get total count Total Count.

PK11036791 : Parker successfully issued the 06/05/2021 renewal.,.To Report.

PK11036918 : Parker successfully issued the 06/05/2021 renewal.,.To Report.

PK11037082 : Parker successfully issued the 06/05/2021 renewal.,.To Report.

PK01041601 : New activity on DRA for Michael Demiranda.,Please review new MVR information.,New PPA changes present.,Multiple Property policies present, please work HO.,.To Report.

PK11032274 : Please review new MVR information.,.To Report.

PK11036998 : Parker successfully issued the 06/05/2021 renewal.,.To Report.

PK11041586 : New HO changes present.,Please review new MVR information.,New PPA changes present.,.To Report.

PK11004163 : New HO changes present.,New PPA changes present.,.To Report.

PK11014724 : New PPA changes present.,.To Report.

PK11041665 : New HO changes present.,Please review new MVR information.,New PPA changes present.,.To Report.

Parker could not be processed, please work PK Renewal. To Report.

System exception.Parker Exception Occurred : Unable to extract Pending Renewal policy period for PK Policy. at Source: Invoke Workflow File: Get Data: Throw

System exception.Parker Exception Occurred : Index and length must refer to a location within the string. Parameter name: length at Source: Invoke Workflow File: Make Decision: Throw

scelikok · ‎03-08-2021

Hi @Murali51,

Only changing last case value should help, please try below;

index=main host=brprwbpa001 robotJobName=Parker ("System Exception" OR "To Report.")
| eval Message=case(like(Message,"%Parker successfully%"), "Successful Count", like(Message, "Parker could not be processed, please work PK Renewal.%"), "Exception Count", like(Message, "System exception%"), "System exception Count", 1==1, "Partial Success") 
| stats count by Message 
| addcoltotals label="Total Count" labelfield=Message

If this reply helps you an upvote and "Accept as Solution" is appreciated.

Murali51 · ‎03-08-2021

Hi @richgalloway when you get a chance can you please look into my query, thanks.

Murali51 · ‎03-06-2021

I have tried below query and didn't work.

index=main host=brprwbpa001 robotJobName=Parker ("System Exception" OR "To Report.") | eval Message=case(like(Message,"%Parker successfully%"), "Successful Count", like(Message, "Parker could not be processed, please work PK Renewal.%"), "Exception Count", like(Message, "System exception%"), "System exception Count", 1==1, Message)| stats count by Message| addcoltotals label="Total Count" labelfield=Message

Get different message Counts from the same field

count

eval

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Join the Conversation