Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Get different message Counts from the same field
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Get different message Counts from the same field
Hello @richgalloway , I am asking your help again to get counts for below messages. I tried the same instruction but unable to get counts. From below messages get counts depends and message value. Your help would be highly appreciated.
Consider message which ends with To Report. and get counts.
message contains "Parker could not be processed" - Failure count
message contains "Parker successfully issued" - Success Count
message contains "System exception.Parker Exception Occurred " - System exception Count
if message has Any other message : Partial Success
get total count Total Count.
| PK11036791 : Parker successfully issued the 06/05/2021 renewal.,.To Report. |
| PK11036918 : Parker successfully issued the 06/05/2021 renewal.,.To Report. |
| PK11037082 : Parker successfully issued the 06/05/2021 renewal.,.To Report. |
| PK01041601 : New activity on DRA for Michael Demiranda.,Please review new MVR information.,New PPA changes present.,Multiple Property policies present, please work HO.,.To Report. |
| PK11032274 : Please review new MVR information.,.To Report. |
| PK11036998 : Parker successfully issued the 06/05/2021 renewal.,.To Report. |
| PK11041586 : New HO changes present.,Please review new MVR information.,New PPA changes present.,.To Report. |
| PK11004163 : New HO changes present.,New PPA changes present.,.To Report. |
| PK11014724 : New PPA changes present.,.To Report. |
| PK11041665 : New HO changes present.,Please review new MVR information.,New PPA changes present.,.To Report. |
| Parker could not be processed, please work PK Renewal. To Report. |
| System exception.Parker Exception Occurred : Unable to extract Pending Renewal policy period for PK Policy. at Source: Invoke Workflow File: Get Data: Throw |
| System exception.Parker Exception Occurred : Index and length must refer to a location within the string. Parameter name: length at Source: Invoke Workflow File: Make Decision: Throw |
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Murali51,
Only changing last case value should help, please try below;
index=main host=brprwbpa001 robotJobName=Parker ("System Exception" OR "To Report.")
| eval Message=case(like(Message,"%Parker successfully%"), "Successful Count", like(Message, "Parker could not be processed, please work PK Renewal.%"), "Exception Count", like(Message, "System exception%"), "System exception Count", 1==1, "Partial Success")
| stats count by Message
| addcoltotals label="Total Count" labelfield=Message- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @richgalloway when you get a chance can you please look into my query, thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have tried below query and didn't work.
index=main host=brprwbpa001 robotJobName=Parker ("System Exception" OR "To Report.") | eval Message=case(like(Message,"%Parker successfully%"), "Successful Count", like(Message, "Parker could not be processed, please work PK Renewal.%"), "Exception Count", like(Message, "System exception%"), "System exception Count", 1==1, Message)| stats count by Message| addcoltotals label="Total Count" labelfield=Message
Splunk Observability for AI
Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...
Splunk Observability as Code: From Zero to Dashboard
