Hi All,
I want count of word "ERROR" in the group of events for which i have used transaction command!
my search query is
source="*.log" | transaction startswith="Hydra is starting Control Channel" endswith="completed Setup"
Now i want to count the no of times the word "ERROR" has occurred between the limits.
sample log
[M2E-CSI]2013-06-11 01:19:40,924 PDT - Hydra is starting Control Channel
[M2E-CSI]2013-06-11 01:19:40,926 PDT - Error is adding AdapterJMS as Reconnectable
[M2E-CSI]2013-06-11 01:19:40,926 PDT - Error is adding AdapterJMS as Reconnectable
[M2E-CSI]2013-06-11 01:19:40,926 PDT - Error is adding AdapterJMS as Reconnectable
[M2E-CSI]2013-06-11 01:19:40,926 PDT - Error is adding AdapterJMS as Reconnectable
[M2E-CSI]2013-06-11 01:19:40,926 PDT - Error is adding AdapterJMS as Reconnectable
[M2E-CSI]2013-06-11 01:19:40,928 PDT - Error is adding AdapterJMS as Reconnectable
[M2E-CSI]2013-06-11 01:19:40,928 PDT - Error is adding AdapterJMS as Reconnectable
[M2E-CSI]2013-06-11 01:19:40,928 PDT - Error is adding AdapterJMS as Reconnectable
[M2E-CSI]2013-06-11 01:19:40,928 PDT - Error is adding AdapterJMS as Reconnectable
completed setup
I would use eval
to make a numeric field valued at 0 or 1 as appropriate, on the events before transaction. This will then become a multivalued field in the transaction rows, and then you can more easily sum it up. Granted if we're talking a really large number of errors per transaction, then you might hit some multivalued-field limits.
source="*.log" | eval errorCount=if(searchmatch("ERROR"),1,0) | transaction startswith="Hydra is starting Control Channel" endswith="completed Setup" | streamstats count as rowIndex | streamstats sum(errorCount) as totalErrors by rowIndex
Thanks for the reply....
index=foo | eval errorCount=if(searchmatch("Error"),1,0) | transaction startswith="Error" endswith="READY TO ACTIVATE" mvlist=t | streamstats count as rowIndex| eventstats sum(errorCount) as totalErrors by rowIndex | stats sum(totalErrors) as totalErrors by source
Thanks for the reply ...
If i use by source,i am not getting the count.....
hello, i was just going through the answer try below
index=foo | eval errorCount=if(searchmatch("Error"),1,0) | transaction startswith="Error" endswith="READY TO ACTIVATE" mvlist=t | eventstats sum(errorCount) as totalErrors by source
Thanks for your reply, i got the correct count.
But i want to display the results in the below format
Source Number of errors
file1 12
file2 25
file3 32
file4 23
This is the search Query
index=foo | eval errorCount=if(searchmatch("Error"),1,0) | transaction startswith="Error" endswith="READY TO ACTIVATE" mvlist=t | streamstats count as rowIndex| eventstats sum(errorCount) as totalErrors by rowIndex
Please help me..........
Oh I think you need to add mvlist=t
to your transaction command. By default mvlist is false, meaning it will only preserve a single "1" because it's only preserving distinct values. You might also want to put a fields clause before transaction to narrow down to just the fields you'll need to minimize transaction's work preserving all the other field values if you're not going to use them.
http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/Transaction
Hi sideview,
Thanks for your response! still am getting count of word "ERROR" as 1!!, as we see in sample log we should get count as 9.