Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my search to find old vs new errors with counts?

akasio1972
New Member
‎11-08-2015 09:16 PM

Folks

I am new in splunk so pardon the basic question here. I am trying to find in my application what are the new errors over the past 24 hours that we never encountered in the past week. Here is my current search:

CASE(ERROR) earliest=-24h@h latest=now  | stats count as errsToday by class source linecount | sort by class source linecount | appendcols [ search CASE(ERROR)  earliest=-8d@d latest=-24h@h | stats count as errsLastWeek by class source linecount| sort by class source linecount ] | eval errsLastWeek=if(isnull(errsLastWeek),0,errsLastWeek) | eval errsToday=if(isnull(errsToday),0,errsToday) | table errsLastWeek errsToday class source linecount

My question is if anyone has comments on the above search and assuming it is correct, I have the following problem. In the results I get lines as follows:

errsLastWeek    errsToday    class     source      linecount
3               4            Foo       foo.txt     5
5               0            Foo       foo.txt     5

I would like to process further so I get:

errsLastWeek    errsToday    class     source      linecount
8               4            Foo       foo.txt     5

thanks in advance for the advice
-a

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

HeinzWaescher
Motivator
‎11-09-2015 01:36 AM

What field identifies whether the event is an error? You should start your search like this:
sourcetype=foo fieldname=ERROR

If you need class, source and linecount info I would do it like this:

Set the timerangepicker to earliest=-7d@d latest=now

sourcetype=foo fieldname=ERROR
| eval today=relative_time(now(),"@d")
| stats count(eval(if(_time<today, _time, null()))) AS errors_last_week,
        count(eval(if(_time>=today, _time, null()))) AS errors_today BY class, source, linecount
| eval new_error=if(errors_last_week=0, "true", "false")

View solution in original post

Reply
Solved! Jump to solution
Solution

HeinzWaescher
Motivator
‎11-09-2015 01:36 AM

What field identifies whether the event is an error? You should start your search like this:
sourcetype=foo fieldname=ERROR

If you need class, source and linecount info I would do it like this:

Set the timerangepicker to earliest=-7d@d latest=now

sourcetype=foo fieldname=ERROR
| eval today=relative_time(now(),"@d")
| stats count(eval(if(_time<today, _time, null()))) AS errors_last_week,
        count(eval(if(_time>=today, _time, null()))) AS errors_today BY class, source, linecount
| eval new_error=if(errors_last_week=0, "true", "false")
Reply
Solved! Jump to solution

akasio1972
New Member
‎11-09-2015 06:58 AM

Thanks man! I appreciate it. Worked great

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...