Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Grouping by the words in a field

H2ck1ngPr13sT
Loves-to-Learn
‎10-15-2024 05:07 AM

HI,

I have a below query, I want to group and count by two different words, one group per word, in a field "text1.value"  which are Load Balancer and Endpoints words are located somewhere in a string. Also I want to count how many of them occured per one day. 

Is this possible?

index=monitor name="Manager - Error" text2.value="*Rerun"  text1.value="*Load Balancer*" OR "*Endpoints*"


Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-15-2024 05:18 AM

Hi @H2ck1ngPr13sT ,

if you want your count for one day, you could use something like this:

index=monitor name="Manager - Error" text2.value="*Rerun"  text1.value IN ("*Load Balancer*", "*Endpoints*") earliest=-1d latest=now
| rename text1.value AS text1_value
| stats 
     count(eval(searchmatch(text1_value,"Load Balancer"))) AS LoadBalancer
     count(eval(searchmatch(text1_value,"Endpoints"))) AS Endpoints

if instead yu want the values for each day in the last 7 days, you could use something like this:

index=monitor name="Manager - Error" text2.value="*Rerun"  text1.value IN ("*Load Balancer*", "*Endpoints*") earliest=-17 latest=now
| rename text1.value AS text1_value
| eval type=if(searchmatch(text1_value,"Load Balancer"),"LoadBalancer", "Endpoints")
| timechart span=1d count BY type

Ciao.

Giuseppe

0 Karma
Reply

H2ck1ngPr13sT
Loves-to-Learn
‎10-15-2024 09:23 AM

Unfortunately, I'm getting error: "Error in 'EvalCommand': The arguments to the 'searchmatch' function are invalid." I've tried both solutions.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-16-2024 12:04 AM

Hi @H2ck1ngPr13sT ,

sorry I confused searchmatch with match, please use match function.

Ciao.

Giuseppe

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎10-15-2024 12:25 PM

Replace searchmatch(text1_value,"Load Balancer") with searchmatch("text1_value=\"*Load Balancer*\""), and so on.  BTW, rename is not needed for searchmatch because it accepts any syntax/shortcut that the search command accepts. (Like search, it also does case-insensitive match.)  For example,

index=monitor name="Manager - Error" text2.value="*Rerun"  text1.value IN ("*Load Balancer*", "*Endpoints*") earliest=-1d latest=now
| stats 
     count(eval(searchmatch("text1.value=\"*Load Balancer*\""))) AS LoadBalancer
     count(eval(searchmatch("text1.value = \"*Endpoints*\""))) AS Endpoints

 

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...