Splunk Search

How to generate a search that will count based on filename in the log?

Path Finder

Hi, i need to count the stat based on different type of source and field (based on 1st 3 char of the filename of the field). E.g. My ultimate goal is to get a timechart of line graph showing stat based on different filetype. thks

12/7/16 12: 14    filename="ABC132323.txt" source="abc.log"
12/7/16 17: 14    filename="DEF.txt" source="def.log"
11/3/16 01: 14    filename="QDAD21.txt" source="wed.log"
08/7/16 12: 14    filename="ABC.txt" source="abc.log"
01/7/16 12: 14    filename="QD444.txt" source="abc.log"

result:

filename    count
ABC*          2
DEF*          1
QD*           2
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Something like this should get you started.

... | eval prefix = substr(filename, 1, 3) | stats count by prefix | ...
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Something like this should get you started.

... | eval prefix = substr(filename, 1, 3) | stats count by prefix | ...
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma