Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Group the events

ncbshiva
Communicator
‎06-13-2013 11:26 PM

Hi

I have a log file , i want to search events for first occurrence of word "error" in that file, till the first occurrence of word "READY TO ACTIVATE".

I want to list all the events between first occurrence of "error" and first occurrence of "READY TO ACTIVATE".

Please help me ..........

Tags (1)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎06-14-2013 12:30 AM

Using transaction like Ayn suggests; you'll get multivalued fields. Assuming that you have a field called 'status' which in your case contains either 'error' or 'ok', you could do (after the transaction) 

| eval err = mvfilter(match(status, "error")) |  eval err_count = mvcount(err)

If all the events in the transaction contains status=error, you could use the eventcount field that is created by the transaction. Perhaps subtract 1 from the eventcount, if the 'READY TO ACTIVATE' event does not contain 'error'.

Without sample events, it is a lot harder to give you good advice.

/K

Reply

ncbshiva
Communicator
‎07-02-2013 05:44 AM

Hi kristian.kolb

I am not getting the count of word "error" correctly, If there are two "error" words in the log file , its giving the count as one only....

please help me....

Reply

Ayn
Legend
‎06-14-2013 12:00 AM

Use transaction.

... | transaction startswith="error" endswith="READY TO ACTIVATE"
Reply

ncbshiva
Communicator
‎06-14-2013 12:04 AM

i have used the same, but i need to evaluate the count of "error" from line 1 till the first occurrence of "READY TO ACTIVATE"

Thanks in advance.......

Reply

ncbshiva
Communicator
‎06-13-2013 11:43 PM

Hi

I have a log file , i want to evaluate count of errors from line 1 of the file till the first occurrence of "READY TO ACTIVATE" phrase.

Please help me ..........

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...