How to count "different" log messages

BeaGarcia · ‎09-18-2023

Hello! I want to count how many different kind of errors appeared for different services.

At the moment, I'm searching for the errors like this

Index=etc message = "error 1" OR "error 2" OR ... "error N" | chart count by instance_name, message

And I've got as a result:

And under those column names, it shows how many times that error appeared. How can I count them without caring about the user and only caring about the "error 1" string?

I mean, I want the result to look like

Instance_name | error 1 | error2 |...| errorN

bowesmana · ‎09-18-2023

Extract the error number from the message and use that instead of message, e.g.

index=etc message="error 1" OR message="error 2" OR message="error N" 
| rex field=message "error (?<error>\d+)"
| chart count by instance_name, error

You will have to change the regex in the rex statement so you extract what you want - the one above just extracts the number after the word "error "

Note if you want the message to be one of A OR B OR C, you use message=A OR message=B OR message=C rather than message=A OR B OR C

You can also use message IN ("A","B","C")

How to count "different" log messages

chart

count

field extraction

fields

rex

subsearch

Shape the Future of Splunk: Join the Product Research Lab!

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Are you a member of the Splunk Community?

How to count "different" log messages