Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to create a Dinamic Field with a String

danielgp89
Path Finder
‎06-26-2017 01:13 PM

Hello everyone!

How can I make a table with the number of concurrencies that splunks finds? for example I want to find in many different logs the next strings!

index=mf MFSOURCETYPE=SYSOUT JOBNAME=CICS5430 OR CICSPTVA "ERROR CICS" OR "CONDITION ERROR" OR "ABEND EN EL PROGRAMA" OR "ERROR BUSQUEDA 10 GMG" OR "ERROR BUSQUEDA LLAVE GMG OTHER"

So I want a table, kind of the stats count that only tell me the count of each strings of the search by their string name. For example

 STRING                                                                         count

"ERROR CICS"-----------------------------------------------------------5
"CONDITION ERROR"--------------------------------------------------0
"ABEND EN EL PROGRAM"------------------------------------------3
"ERROR DE BUSQUEDA 10 CMG"---------------------------------2

How can I do this without an extracion field of the log!

Regards

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎06-26-2017 01:49 PM

Try like this

index=mf MFSOURCETYPE=SYSOUT JOBNAME=CICS5430 OR CICSPTVA "ERROR CICS" OR "CONDITION ERROR" OR "ABEND EN EL PROGRAMA" OR "ERROR BUSQUEDA 10 GMG" OR "ERROR BUSQUEDA LLAVE GMG OTHER"
| eval STRING=case(searchmatch("ERROR CICS"),"ERROR CICS", searchmatch("CONDITION ERROR"),"CONDITION ERROR",searchmatch("ABEND EN EL PROGRAMA"),"ABEND EN EL PROGRAMA", searchmatch("ERROR BUSQUEDA 10 GMG"),"ERROR BUSQUEDA 10 GMG", searchmatch("ERROR BUSQUEDA LLAVE GMG OTHER"),"ERROR BUSQUEDA LLAVE GMG OTHER")
| stats count by STRING

OR 

index=mf MFSOURCETYPE=SYSOUT JOBNAME=CICS5430 OR CICSPTVA "ERROR CICS" OR "CONDITION ERROR" OR "ABEND EN EL PROGRAMA" OR "ERROR BUSQUEDA 10 GMG" OR "ERROR BUSQUEDA LLAVE GMG OTHER"
| rex "(?<STRING>(ERROR CICS|CONDITION ERROR|ABEND EN EL PROGRAMA|ERROR BUSQUEDA 10 GMG|ERROR BUSQUEDA LLAVE GMG OTHER))" 
| stats count by STRING

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎06-26-2017 01:49 PM

Try like this

index=mf MFSOURCETYPE=SYSOUT JOBNAME=CICS5430 OR CICSPTVA "ERROR CICS" OR "CONDITION ERROR" OR "ABEND EN EL PROGRAMA" OR "ERROR BUSQUEDA 10 GMG" OR "ERROR BUSQUEDA LLAVE GMG OTHER"
| eval STRING=case(searchmatch("ERROR CICS"),"ERROR CICS", searchmatch("CONDITION ERROR"),"CONDITION ERROR",searchmatch("ABEND EN EL PROGRAMA"),"ABEND EN EL PROGRAMA", searchmatch("ERROR BUSQUEDA 10 GMG"),"ERROR BUSQUEDA 10 GMG", searchmatch("ERROR BUSQUEDA LLAVE GMG OTHER"),"ERROR BUSQUEDA LLAVE GMG OTHER")
| stats count by STRING

OR 

index=mf MFSOURCETYPE=SYSOUT JOBNAME=CICS5430 OR CICSPTVA "ERROR CICS" OR "CONDITION ERROR" OR "ABEND EN EL PROGRAMA" OR "ERROR BUSQUEDA 10 GMG" OR "ERROR BUSQUEDA LLAVE GMG OTHER"
| rex "(?<STRING>(ERROR CICS|CONDITION ERROR|ABEND EN EL PROGRAMA|ERROR BUSQUEDA 10 GMG|ERROR BUSQUEDA LLAVE GMG OTHER))" 
| stats count by STRING
Reply
Solved! Jump to solution

danielgp89
Path Finder
‎06-26-2017 02:04 PM

Thanks so much! the first option works fine for me!

Thanks a lot somesoni2

Best Regards!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...