Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my search to find old vs new errors with counts?

akasio1972
New Member
‎11-08-2015 09:16 PM

Folks

I am new in splunk so pardon the basic question here. I am trying to find in my application what are the new errors over the past 24 hours that we never encountered in the past week. Here is my current search:

CASE(ERROR) earliest=-24h@h latest=now  | stats count as errsToday by class source linecount | sort by class source linecount | appendcols [ search CASE(ERROR)  earliest=-8d@d latest=-24h@h | stats count as errsLastWeek by class source linecount| sort by class source linecount ] | eval errsLastWeek=if(isnull(errsLastWeek),0,errsLastWeek) | eval errsToday=if(isnull(errsToday),0,errsToday) | table errsLastWeek errsToday class source linecount

My question is if anyone has comments on the above search and assuming it is correct, I have the following problem. In the results I get lines as follows:

errsLastWeek    errsToday    class     source      linecount
3               4            Foo       foo.txt     5
5               0            Foo       foo.txt     5

I would like to process further so I get:

errsLastWeek    errsToday    class     source      linecount
8               4            Foo       foo.txt     5

thanks in advance for the advice
-a

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

HeinzWaescher
Motivator
‎11-09-2015 01:36 AM

What field identifies whether the event is an error? You should start your search like this:
sourcetype=foo fieldname=ERROR

If you need class, source and linecount info I would do it like this:

Set the timerangepicker to earliest=-7d@d latest=now

sourcetype=foo fieldname=ERROR
| eval today=relative_time(now(),"@d")
| stats count(eval(if(_time<today, _time, null()))) AS errors_last_week,
        count(eval(if(_time>=today, _time, null()))) AS errors_today BY class, source, linecount
| eval new_error=if(errors_last_week=0, "true", "false")

View solution in original post

Reply
Solved! Jump to solution
Solution

HeinzWaescher
Motivator
‎11-09-2015 01:36 AM

What field identifies whether the event is an error? You should start your search like this:
sourcetype=foo fieldname=ERROR

If you need class, source and linecount info I would do it like this:

Set the timerangepicker to earliest=-7d@d latest=now

sourcetype=foo fieldname=ERROR
| eval today=relative_time(now(),"@d")
| stats count(eval(if(_time<today, _time, null()))) AS errors_last_week,
        count(eval(if(_time>=today, _time, null()))) AS errors_today BY class, source, linecount
| eval new_error=if(errors_last_week=0, "true", "false")
Reply
Solved! Jump to solution

akasio1972
New Member
‎11-09-2015 06:58 AM

Thanks man! I appreciate it. Worked great

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...