Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Group the events

ncbshiva
Communicator
‎06-13-2013 11:26 PM

Hi

I have a log file , i want to search events for first occurrence of word "error" in that file, till the first occurrence of word "READY TO ACTIVATE".

I want to list all the events between first occurrence of "error" and first occurrence of "READY TO ACTIVATE".

Please help me ..........

Tags (1)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎06-14-2013 12:30 AM

Using transaction like Ayn suggests; you'll get multivalued fields. Assuming that you have a field called 'status' which in your case contains either 'error' or 'ok', you could do (after the transaction) 

| eval err = mvfilter(match(status, "error")) |  eval err_count = mvcount(err)

If all the events in the transaction contains status=error, you could use the eventcount field that is created by the transaction. Perhaps subtract 1 from the eventcount, if the 'READY TO ACTIVATE' event does not contain 'error'.

Without sample events, it is a lot harder to give you good advice.

/K

Reply

ncbshiva
Communicator
‎07-02-2013 05:44 AM

Hi kristian.kolb

I am not getting the count of word "error" correctly, If there are two "error" words in the log file , its giving the count as one only....

please help me....

Reply

Ayn
Legend
‎06-14-2013 12:00 AM

Use transaction.

... | transaction startswith="error" endswith="READY TO ACTIVATE"
Reply

ncbshiva
Communicator
‎06-14-2013 12:04 AM

i have used the same, but i need to evaluate the count of "error" from line 1 till the first occurrence of "READY TO ACTIVATE"

Thanks in advance.......

Reply

ncbshiva
Communicator
‎06-13-2013 11:43 PM

Hi

I have a log file , i want to evaluate count of errors from line 1 of the file till the first occurrence of "READY TO ACTIVATE" phrase.

Please help me ..........

Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...