Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to create a Dinamic Field with a String
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello everyone!
How can I make a table with the number of concurrencies that splunks finds? for example I want to find in many different logs the next strings!
index=mf MFSOURCETYPE=SYSOUT JOBNAME=CICS5430 OR CICSPTVA "ERROR CICS" OR "CONDITION ERROR" OR "ABEND EN EL PROGRAMA" OR "ERROR BUSQUEDA 10 GMG" OR "ERROR BUSQUEDA LLAVE GMG OTHER"
So I want a table, kind of the stats count that only tell me the count of each strings of the search by their string name. For example
STRING count
"ERROR CICS"-----------------------------------------------------------5
"CONDITION ERROR"--------------------------------------------------0
"ABEND EN EL PROGRAM"------------------------------------------3
"ERROR DE BUSQUEDA 10 CMG"---------------------------------2
How can I do this without an extracion field of the log!
Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try like this
index=mf MFSOURCETYPE=SYSOUT JOBNAME=CICS5430 OR CICSPTVA "ERROR CICS" OR "CONDITION ERROR" OR "ABEND EN EL PROGRAMA" OR "ERROR BUSQUEDA 10 GMG" OR "ERROR BUSQUEDA LLAVE GMG OTHER"
| eval STRING=case(searchmatch("ERROR CICS"),"ERROR CICS", searchmatch("CONDITION ERROR"),"CONDITION ERROR",searchmatch("ABEND EN EL PROGRAMA"),"ABEND EN EL PROGRAMA", searchmatch("ERROR BUSQUEDA 10 GMG"),"ERROR BUSQUEDA 10 GMG", searchmatch("ERROR BUSQUEDA LLAVE GMG OTHER"),"ERROR BUSQUEDA LLAVE GMG OTHER")
| stats count by STRING
OR
index=mf MFSOURCETYPE=SYSOUT JOBNAME=CICS5430 OR CICSPTVA "ERROR CICS" OR "CONDITION ERROR" OR "ABEND EN EL PROGRAMA" OR "ERROR BUSQUEDA 10 GMG" OR "ERROR BUSQUEDA LLAVE GMG OTHER"
| rex "(?<STRING>(ERROR CICS|CONDITION ERROR|ABEND EN EL PROGRAMA|ERROR BUSQUEDA 10 GMG|ERROR BUSQUEDA LLAVE GMG OTHER))"
| stats count by STRING
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try like this
index=mf MFSOURCETYPE=SYSOUT JOBNAME=CICS5430 OR CICSPTVA "ERROR CICS" OR "CONDITION ERROR" OR "ABEND EN EL PROGRAMA" OR "ERROR BUSQUEDA 10 GMG" OR "ERROR BUSQUEDA LLAVE GMG OTHER"
| eval STRING=case(searchmatch("ERROR CICS"),"ERROR CICS", searchmatch("CONDITION ERROR"),"CONDITION ERROR",searchmatch("ABEND EN EL PROGRAMA"),"ABEND EN EL PROGRAMA", searchmatch("ERROR BUSQUEDA 10 GMG"),"ERROR BUSQUEDA 10 GMG", searchmatch("ERROR BUSQUEDA LLAVE GMG OTHER"),"ERROR BUSQUEDA LLAVE GMG OTHER")
| stats count by STRING
OR
index=mf MFSOURCETYPE=SYSOUT JOBNAME=CICS5430 OR CICSPTVA "ERROR CICS" OR "CONDITION ERROR" OR "ABEND EN EL PROGRAMA" OR "ERROR BUSQUEDA 10 GMG" OR "ERROR BUSQUEDA LLAVE GMG OTHER"
| rex "(?<STRING>(ERROR CICS|CONDITION ERROR|ABEND EN EL PROGRAMA|ERROR BUSQUEDA 10 GMG|ERROR BUSQUEDA LLAVE GMG OTHER))"
| stats count by STRING
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks so much! the first option works fine for me!
Thanks a lot somesoni2
Best Regards!
See Splunk Platform & Observability Innovations at Cisco Live EMEA
The OpenTelemetry Certified Associate (OTCA) Exam
From Manual to Agentic: Level Up Your SOC at Cisco Live
