Splunk Search

How do I edit my search to get a count by error text?

tkasim
New Member

Hi everyone,

I am trying to do the following in Splunk, but it's not working:

index=MRM eventtype=MRM_ERROR |
eval Description=case(
like(search, "%error1%"),"error1",
like(search, "%error2%"),"error2"
) | chart count by Description

Any ideas?

0 Karma
1 Solution

renjith_nair
Legend

Are you comparing it with the field ? I mean is search is your field name? If not, substitute search with your field name where error error2 keywords are present.
If you are getting an error or undesired output please mention that too
ie:

index=MRM eventtype=MRM_ERROR |eval Description=case(like(<field_name>, "%error1%"),"error1",like(<field_name>, "%error2%"),"error2") | chart count by Description
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

renjith_nair
Legend

Are you comparing it with the field ? I mean is search is your field name? If not, substitute search with your field name where error error2 keywords are present.
If you are getting an error or undesired output please mention that too
ie:

index=MRM eventtype=MRM_ERROR |eval Description=case(like(<field_name>, "%error1%"),"error1",like(<field_name>, "%error2%"),"error2") | chart count by Description
---
What goes around comes around. If it helps, hit it with Karma 🙂

tkasim
New Member

Hi Renjith

the "search" keyword is not a field. I actually want to search the resultset for those errors...
I am not sure how to point to the resultset. I have zero experience with splunk so please excuse the novice question.

I also tried "rawtext" that too didn't work.

index=MRM eventtype=MRM_ERROR |
eval Description=case(
like(rawtext, "%error1%"),"error1",
like(rawtext, "%error2%"),"error2"
) | chart count by Description

0 Karma

renjith_nair
Legend

Alright. For raw your should use _raw ie

 index=MRM eventtype=MRM_ERROR |eval Description=case(like(_raw, "%error1%"),"error1",like(_raw, "%error2%"),"error2") | chart count by Description

Ideally if the field is not available , you should extract the field using field extraction techniques in splunk

http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/ExtractfieldsinteractivelywithIFX
http://docs.splunk.com/Documentation/Splunk/6.1/Search/Extractfieldswithsearchcommands
http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/Createandmaintainsearch-timefieldextract...

---
What goes around comes around. If it helps, hit it with Karma 🙂

tkasim
New Member

Thank you so much.

My plan is to turn the most frequent errors into fields. The above is a great starting point. Thanks for the links, just what I needed 🙂

0 Karma
Get Updates on the Splunk Community!

Out of the Box to Up And Running - Streamlined Observability for Your Cloud ...

  Tech Talk Streamlined Observability for Your Cloud Environment Register    Out of the Box to Up And Running ...

Splunk Smartness with Brandon Sternfield | Episode 3

Hello and welcome to another episode of "Splunk Smartness," the interview series where we explore the power of ...

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...