Hello everyone!
How can I make a table with the number of concurrencies that splunks finds? for example I want to find in many different logs the next strings!
index=mf MFSOURCETYPE=SYSOUT JOBNAME=CICS5430 OR CICSPTVA "ERROR CICS" OR "CONDITION ERROR" OR "ABEND EN EL PROGRAMA" OR "ERROR BUSQUEDA 10 GMG" OR "ERROR BUSQUEDA LLAVE GMG OTHER"
So I want a table, kind of the stats count that only tell me the count of each strings of the search by their string name. For example
STRING count
"ERROR CICS"-----------------------------------------------------------5
"CONDITION ERROR"--------------------------------------------------0
"ABEND EN EL PROGRAM"------------------------------------------3
"ERROR DE BUSQUEDA 10 CMG"---------------------------------2
How can I do this without an extracion field of the log!
Regards
Try like this
index=mf MFSOURCETYPE=SYSOUT JOBNAME=CICS5430 OR CICSPTVA "ERROR CICS" OR "CONDITION ERROR" OR "ABEND EN EL PROGRAMA" OR "ERROR BUSQUEDA 10 GMG" OR "ERROR BUSQUEDA LLAVE GMG OTHER"
| eval STRING=case(searchmatch("ERROR CICS"),"ERROR CICS", searchmatch("CONDITION ERROR"),"CONDITION ERROR",searchmatch("ABEND EN EL PROGRAMA"),"ABEND EN EL PROGRAMA", searchmatch("ERROR BUSQUEDA 10 GMG"),"ERROR BUSQUEDA 10 GMG", searchmatch("ERROR BUSQUEDA LLAVE GMG OTHER"),"ERROR BUSQUEDA LLAVE GMG OTHER")
| stats count by STRING
OR
index=mf MFSOURCETYPE=SYSOUT JOBNAME=CICS5430 OR CICSPTVA "ERROR CICS" OR "CONDITION ERROR" OR "ABEND EN EL PROGRAMA" OR "ERROR BUSQUEDA 10 GMG" OR "ERROR BUSQUEDA LLAVE GMG OTHER"
| rex "(?<STRING>(ERROR CICS|CONDITION ERROR|ABEND EN EL PROGRAMA|ERROR BUSQUEDA 10 GMG|ERROR BUSQUEDA LLAVE GMG OTHER))"
| stats count by STRING
Try like this
index=mf MFSOURCETYPE=SYSOUT JOBNAME=CICS5430 OR CICSPTVA "ERROR CICS" OR "CONDITION ERROR" OR "ABEND EN EL PROGRAMA" OR "ERROR BUSQUEDA 10 GMG" OR "ERROR BUSQUEDA LLAVE GMG OTHER"
| eval STRING=case(searchmatch("ERROR CICS"),"ERROR CICS", searchmatch("CONDITION ERROR"),"CONDITION ERROR",searchmatch("ABEND EN EL PROGRAMA"),"ABEND EN EL PROGRAMA", searchmatch("ERROR BUSQUEDA 10 GMG"),"ERROR BUSQUEDA 10 GMG", searchmatch("ERROR BUSQUEDA LLAVE GMG OTHER"),"ERROR BUSQUEDA LLAVE GMG OTHER")
| stats count by STRING
OR
index=mf MFSOURCETYPE=SYSOUT JOBNAME=CICS5430 OR CICSPTVA "ERROR CICS" OR "CONDITION ERROR" OR "ABEND EN EL PROGRAMA" OR "ERROR BUSQUEDA 10 GMG" OR "ERROR BUSQUEDA LLAVE GMG OTHER"
| rex "(?<STRING>(ERROR CICS|CONDITION ERROR|ABEND EN EL PROGRAMA|ERROR BUSQUEDA 10 GMG|ERROR BUSQUEDA LLAVE GMG OTHER))"
| stats count by STRING
Thanks so much! the first option works fine for me!
Thanks a lot somesoni2
Best Regards!