Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to count events from a same file with having two different raw text ?

m7787580
Explorer
‎01-08-2018 07:43 AM

Hi Splunker,

I have to count success and failure count from the same index and sourcetype on the basis of raw text in an event.
Only difference is that for success raw text is different and for failure raw text is different.

I have used below logic to find count of success and failure but this query is taking loads of time to execute.

Please remember these strings present below are not any field in Splunk it's a simple text on the basis of that i need to filter and count.

Could you please suggest me some other way by which i can execute this query faster.

index=Only_prod host=winter-p*-1 sourcetype="Season.log"
(Incoming OR Outgoing)
NOT ("Some String One" ) ("Some String Two" OR "Some String Three" OR "Some String Four")
|stats count as Error

|Join serviceName type=outer [
search index=Only_prod host=winter-p*-1 sourcetype="Season.log"
(Incoming OR Outgoing)
NOT ("Some String Five" ) ("Some String Seven" OR "Some String Six" OR "Some String Eight")
| stats count as Successes ]

Thanks in Advance
Regards,

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-08-2018 07:57 AM

Hi m7787580,
try something like this:

(index=Only_prod host=winter-p*-1 sourcetype="Season.log" (Incoming OR Outgoing) NOT ("Some String One" ) ("Some String Two" OR "Some String Three" OR "Some String Four")) OR (index=Only_prod host=winter-p*-1 sourcetype="Season.log" (Incoming OR Outgoing) NOT ("Some String Five" ) ("Some String Seven" OR "Some String Six" OR "Some String Eight"))
| eval status=case(searchmatch("Some String Two"),"Error",searchmatch("Some String Three"),"Error",searchmatch("Some String Four"),"Error",searchmatch("Some String Seven"),"Success",searchmatch("Some String Six"),"Success",searchmatch("Some String Eight"),"Success")
| stats count BY status

In few words: put in OR both your searches and, using eval, give a status to each event, then you can use stats command.

Bye.
Giuseppe

0 Karma
Reply

somesoni2
Revered Legend
‎01-08-2018 07:50 AM

Give this a try.

index=Only_prod host=winter-p*-1 sourcetype="Season.log"
(Incoming OR Outgoing) 
(NOT ("Some String One" ) ("Some String Two" OR "Some String Three" OR "Some String Four")) OR NOT ("Some String Five" ) ("Some String Seven" OR "Some String Six" OR "Some String Eight")
| eval Success=if(searchmatch("NOT (\"Some String One\" ) (\"Some String Two\" OR \"Some String Three\" OR \"Some String Four\""),1,0) | eval Error=abs(Success-1)
|stats sum(Error) as Errors sum(Success) as Successes
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...