My splunk query is ,
host=x OR host=y OR host=z nfs1
| stats count as nfs1_count
In the above case nfs1 field is searched from the three hosts and if found the event count is displayed as nfs1_count.
My concern is, I have another field called 'nfs2' ,that too is needed to be searched from the same three hosts(x,y,z) and the event count needs to be collected. Later the event counts(the numeric values) for fields nfs1 and nfs2 are to be put in a table or a pie chart.
Is it possible to achieve this in one search query ?
HI @zacksoft,
Can you please try this one?
(host=x OR host=y OR host=z) (nfs1=* OR nfs2=*) | stats count(eval(isnotnull(nfs1))) as nfs1_countcount(eval(isnotnull(nfs2))) as nfs2_count
Thanks
won't work. same as before. It doesn't search 'ERROR' So I changed the second line ("struc" OR "expo") to error to see what the results come. In that case i only got events with ERROR not with struc or xpo !
Hi
As I found "ERROR" in your sample search and I used It for search.
Do we get data in below searches?
1)
(host="hg67plvbsa788.vadnski.com" OR "hg67plvbsa781.vadnski.com" OR "hg67plvbsa783.vadnski.com" OR "hg67plvbsa784.vadnski.com" OR "hg67hgtrre388.vadnski.com") ("struc" OR "xpo") "ERROR"
2)
(host="hg67plvbsa788.vadnski.com" OR "hg67plvbsa781.vadnski.com" OR "hg67plvbsa783.vadnski.com" OR "hg67plvbsa784.vadnski.com" OR "hg67hgtrre388.vadnski.com") ("struc" OR "xpo") "ERROR" | eval struc = if(like(_raw,"%struc%") AND like(_raw,"%ERROR%"),1,8) | eval xpo = if(like(_raw,"%xpo%") AND like(_raw,"%ERROR%"),1,8) | table _time struc xpo
1) yes, we get data in this search.
2) Yes, we get data in this search, and the search events also contain the keyword 'struc' AND 'error' ; 'xpo' AND 'error' as we have been expecting.
Great,
Then this should be work .
(host="hg67plvbsa788.vadnski.com" OR "hg67plvbsa781.vadnski.com" OR "hg67plvbsa783.vadnski.com" OR "hg67plvbsa784.vadnski.com" OR "hg67hgtrre388.vadnski.com") ("struc" OR "xpo") "ERROR" | eval struc = if(like(_raw,"%struc%") AND like(_raw,"%ERROR%"),1,8) | eval xpo = if(like(_raw,"%xpo%") AND like(_raw,"%ERROR%"),1,8) | stats sum(struc) as nfs1_count sum(xpo) as nfs2_count
@kamlesh_vaghela
Yes, it's working now. Brilliant. 🙂
I cannot thank enough for your patience with this issue.
In future, if such query comes, is it okay to use the search command you have supplied by only changing the struc/xpo/error word from it as required . I am asking 'cos I don't understand the last part of it where you have put 1,8) which was intially 1,0). What does 1,8) signify.
Thanks again for the brilliance.
It's really strange but the resulting events do not contain the word ERROR.
All the events have either the word 'struc' or 'xpo'.
But none of the events contain 'struc' AND 'error' .
Now, when I removed the line ("struc" OR "xpo") and put error there like following
It shows events only with 'error' keyword not error AND struc.
(host="something1.domain.com" OR "something2.domain.com" OR "something3.domain.com" OR "something4.domain.com" OR "something5.domian.com" )
error
| eval struc = if(like(_raw,"%struc%") AND like(_raw,"%ERROR%"),1,0)
| eval xpo = if(like(_raw,"%xpo%") AND like(_raw,"%ERROR%"),1,0)
| stats sum(struc) as nfs1_count sum(xpo) as nfs2_count
(host="hg67plvbsa788.vadnski.com" OR "hg67plvbsa781.vadnski.com" OR "hg67plvbsa783.vadnski.com" OR "hg67plvbsa784.vadnski.com" OR "hg67hgtrre388.vadnski.com")
("struc" OR "xpo")
| eval struc = if(like(_raw,"%struc%") AND like(_raw,"%Error%"),1,8)
| eval xpo = if(like(_raw,"%xpo%") AND like(_raw,"%Error%"),1,8)
| stats sum(struc) as nfs1_count sum(xpo) as nfs2_count
host="something1.domain.com" OR "something2.domain.com" OR "something3.domain.com" OR "something4.domain.com" OR "something5.domian.com"
("struc" OR "xpo")
| eval struc = if(like(_raw,"%struc%") AND like(_raw,"%Error%"),1,0)
| eval xpo = if(like(_raw,"%xpo%") AND like(_raw,"%Error%"),1,0)
| stats sum(struc) as nfs1_count sum(xpo) as nfs2_count
Hi
Can I have sample _raw event?
Hi zacksoft,
try something like this:
host=x OR host=y OR host=z
| eval nfs=case(nfs1=*,"nfs1_count"," ",nfs2=*,"nfs2_count")
| stats count BY nfs
Bye.
Giuseppe
Thanks Giuseppe for the response.
The eval statement throws error
Error in 'eval' command: The expression is malformed. An unexpected character is reached at ',"nfs1_count"," " ,nfs2=,"nfs2_count")'.
Sorry, there's an error, try:
host=x OR host=y OR host=z
| eval nfs=case(nfs1=,"nfs1_count",nfs2=,"nfs2_count")
| stats count BY nfs
Bye.
Giuseppe
@cusello
Hi Giuseppe -
I get [Error in 'eval' command: The expression is malformed.]
Just so as you know. nfs1 and nfs2 are not splunk fields. They are just some keywords found in error logs. What I'm exactly seeking help for is,
nfs1_count should give me the count of the 'nfs1' AND 'error1'.
nfs2_count should give me the count of 'nfs2' AND 'error2'
(error1 and error2 are again just words in log, thy are not splunk fields.
Sorry, there was a representation error:
host=x OR host=y OR host=z
| eval nfs=case(nfs1=*,"nfs1_count",nfs2=*,"nfs2_count")
| stats count BY nfs
Bye.
Giuseppe