Solved: How to generate a search that will count based on ...

newbiesplunk · ‎12-07-2016

Hi, i need to count the stat based on different type of source and field (based on 1st 3 char of the filename of the field). E.g. My ultimate goal is to get a timechart of line graph showing stat based on different filetype. thks

12/7/16 12: 14    filename="ABC132323.txt" source="abc.log"
12/7/16 17: 14    filename="DEF.txt" source="def.log"
11/3/16 01: 14    filename="QDAD21.txt" source="wed.log"
08/7/16 12: 14    filename="ABC.txt" source="abc.log"
01/7/16 12: 14    filename="QD444.txt" source="abc.log"

result:

filename    count
ABC*          2
DEF*          1
QD*           2

richgalloway · ‎12-07-2016

Something like this should get you started.

... | eval prefix = substr(filename, 1, 3) | stats count by prefix | ...

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎12-07-2016

Something like this should get you started.

... | eval prefix = substr(filename, 1, 3) | stats count by prefix | ...

---
If this reply helps you, Karma would be appreciated.

How to generate a search that will count based on filename in the log?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!