Splunk Search

How to get counts of same field with different info

Murali51
Explorer

Hello,

We are logging various info during job level. Message filed carries all the info.  I would like to get count of each message occurrence using multiple where clause.

Message
The job is successful for the user A
System exception: failed job B
System exception: failed job A
Policy issued for the user A
Policy issued for the user B
Doc cleared for user D
The job is successful for the user B
Doc cleared for user A
Doc cleared for user B
Doc cleared for user C

 

I need counts of each occurrence and total count. 

Policy Issued Count : 2
System exception Count : 2
Doc Clear Count : 4
Successful Count  : 2

Total Count:  10

Any help would be much appreciated.

Thanks.  

 

Labels (2)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

You don't need makeresults.  Note the comment in the answer "Above just sets up test data".  That creates a run-anywhere search that doesn't need real data to produce results.  If you HAVE REAL DATA then don't use the test data.  Remove everything up to and including the first comment.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The query must begin with a "|".

---
If this reply helps you, Karma would be appreciated.

Murali51
Explorer

Thanks you, its works prefect. I am having challenges using  makeresults with Search. 

Below search returns all the events for the job from last 2 days. Now I need to count on the message field. 

index=main host=AIN001 robotJobName=Arya earliest=-2d@d latest=+2d@d

receiving the below exception when I use the makeresults on the query.

Error in 'makeresults' command: This command must be the first command of a search.

Sorry I am  beginner and still learning , your help would be much appreciated. 

Murali51_0-1614630293293.png

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You don't need makeresults.  Note the comment in the answer "Above just sets up test data".  That creates a run-anywhere search that doesn't need real data to produce results.  If you HAVE REAL DATA then don't use the test data.  Remove everything up to and including the first comment.

---
If this reply helps you, Karma would be appreciated.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

See if this helps.

 

| makeresults | eval Message="The job is successful for the user A;System exception: failed job B;System exception: failed job A;Policy issued for the user A;Policy issued for the user B;Doc cleared for user D;The job is successful for the user B;Doc cleared for user A;Doc cleared for user B;Doc cleared for user C" | eval Message=split(Message,";") | mvexpand Message
```Above just sets up test data.```
```Extract the user name from the event```
| rex field=Message "(?:user|failed job) (?<userJob>\w+)"
```Make each message type "generic"```
| eval Message=case(like(Message,"The job is successful%"), "Successful Count", like(Message, "System exception%"), "System exception Count", like(Message, "Policy issued%"), "Policy Issued Count", like(Message, "Doc cleared%"), "Doc Clear Count", 1==1, Message)
```Count each message type1```
| stats count by Message
```Add a total count```
| addcoltotals label="Total Count" labelfield=Message

 

---
If this reply helps you, Karma would be appreciated.
0 Karma

Murali51
Explorer

Thanks for the solution, I ran the Query in splunk, its returning no results. 

Murali51_0-1614620654646.png

 

 

 

0 Karma

Murali51
Explorer

Hello @richgalloway , I am asking your help again to get counts for below messages. I tried the same instruction but unable to get counts. From below messages get counts depends and message value. Your help would be highly appreciated. 

Consider message which ends with To Report. and get counts.

message contains "Parker could not be processed" - Failure count

message contains "Parker successfully issued" - Success Count

if message has Any other message : Partial Success

get total count Total Count.

PK11036791 : Parker successfully issued the 06/05/2021 renewal.,.To Report.
PK11036918 : Parker successfully issued the 06/05/2021 renewal.,.To Report.
PK11037082 : Parker successfully issued the 06/05/2021 renewal.,.To Report.
PK01041601 : New activity on DRA for Michael Demiranda.,Please review new MVR information.,New PPA changes present.,Multiple Property policies present, please work HO.,.To Report.
PK11032274 : Please review new MVR information.,.To Report.
PK11036998 : Parker successfully issued the 06/05/2021 renewal.,.To Report.
PK11041586 : New HO changes present.,Please review new MVR information.,New PPA changes present.,.To Report.
PK11004163 : New HO changes present.,New PPA changes present.,.To Report.
PK11014724 : New PPA changes present.,.To Report.
PK11041665 : New HO changes present.,Please review new MVR information.,New PPA changes present.,.To Report.
Parker could not be processed, please work PK Renewal. To Report.
Parker could not be processed, please work PK Renewal. To Report.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

This thread has an accepted solution.  Please post a new question and include the query you've tried.

---
If this reply helps you, Karma would be appreciated.
0 Karma

Murali51
Explorer

Sure, thanks.

0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...