Splunk Search

How do I edit my search to get a count by error text?

tkasim
New Member

Hi everyone,

I am trying to do the following in Splunk, but it's not working:

index=MRM eventtype=MRM_ERROR |
eval Description=case(
like(search, "%error1%"),"error1",
like(search, "%error2%"),"error2"
) | chart count by Description

Any ideas?

0 Karma
1 Solution

renjith_nair
Legend

Are you comparing it with the field ? I mean is search is your field name? If not, substitute search with your field name where error error2 keywords are present.
If you are getting an error or undesired output please mention that too
ie:

index=MRM eventtype=MRM_ERROR |eval Description=case(like(<field_name>, "%error1%"),"error1",like(<field_name>, "%error2%"),"error2") | chart count by Description
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

renjith_nair
Legend

Are you comparing it with the field ? I mean is search is your field name? If not, substitute search with your field name where error error2 keywords are present.
If you are getting an error or undesired output please mention that too
ie:

index=MRM eventtype=MRM_ERROR |eval Description=case(like(<field_name>, "%error1%"),"error1",like(<field_name>, "%error2%"),"error2") | chart count by Description
---
What goes around comes around. If it helps, hit it with Karma 🙂

tkasim
New Member

Hi Renjith

the "search" keyword is not a field. I actually want to search the resultset for those errors...
I am not sure how to point to the resultset. I have zero experience with splunk so please excuse the novice question.

I also tried "rawtext" that too didn't work.

index=MRM eventtype=MRM_ERROR |
eval Description=case(
like(rawtext, "%error1%"),"error1",
like(rawtext, "%error2%"),"error2"
) | chart count by Description

0 Karma

renjith_nair
Legend

Alright. For raw your should use _raw ie

 index=MRM eventtype=MRM_ERROR |eval Description=case(like(_raw, "%error1%"),"error1",like(_raw, "%error2%"),"error2") | chart count by Description

Ideally if the field is not available , you should extract the field using field extraction techniques in splunk

http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/ExtractfieldsinteractivelywithIFX
http://docs.splunk.com/Documentation/Splunk/6.1/Search/Extractfieldswithsearchcommands
http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/Createandmaintainsearch-timefieldextract...

---
What goes around comes around. If it helps, hit it with Karma 🙂

tkasim
New Member

Thank you so much.

My plan is to turn the most frequent errors into fields. The above is a great starting point. Thanks for the links, just what I needed 🙂

0 Karma
Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...