Hello,
We are logging various info during job level. Message filed carries all the info. I would like to get count of each message occurrence using multiple where clause.
Message |
The job is successful for the user A |
System exception: failed job B |
System exception: failed job A |
Policy issued for the user A |
Policy issued for the user B |
Doc cleared for user D |
The job is successful for the user B |
Doc cleared for user A |
Doc cleared for user B |
Doc cleared for user C |
I need counts of each occurrence and total count.
Policy Issued Count : 2
System exception Count : 2
Doc Clear Count : 4
Successful Count : 2
Total Count: 10
Any help would be much appreciated.
Thanks.
You don't need makeresults. Note the comment in the answer "Above just sets up test data". That creates a run-anywhere search that doesn't need real data to produce results. If you HAVE REAL DATA then don't use the test data. Remove everything up to and including the first comment.
The query must begin with a "|".
Thanks you, its works prefect. I am having challenges using makeresults with Search.
Below search returns all the events for the job from last 2 days. Now I need to count on the message field.
index=main host=AIN001 robotJobName=Arya earliest=-2d@d latest=+2d@d
receiving the below exception when I use the makeresults on the query.
Error in 'makeresults' command: This command must be the first command of a search.
Sorry I am beginner and still learning , your help would be much appreciated.
You don't need makeresults. Note the comment in the answer "Above just sets up test data". That creates a run-anywhere search that doesn't need real data to produce results. If you HAVE REAL DATA then don't use the test data. Remove everything up to and including the first comment.
See if this helps.
| makeresults | eval Message="The job is successful for the user A;System exception: failed job B;System exception: failed job A;Policy issued for the user A;Policy issued for the user B;Doc cleared for user D;The job is successful for the user B;Doc cleared for user A;Doc cleared for user B;Doc cleared for user C" | eval Message=split(Message,";") | mvexpand Message
```Above just sets up test data.```
```Extract the user name from the event```
| rex field=Message "(?:user|failed job) (?<userJob>\w+)"
```Make each message type "generic"```
| eval Message=case(like(Message,"The job is successful%"), "Successful Count", like(Message, "System exception%"), "System exception Count", like(Message, "Policy issued%"), "Policy Issued Count", like(Message, "Doc cleared%"), "Doc Clear Count", 1==1, Message)
```Count each message type1```
| stats count by Message
```Add a total count```
| addcoltotals label="Total Count" labelfield=Message
Thanks for the solution, I ran the Query in splunk, its returning no results.
Hello @richgalloway , I am asking your help again to get counts for below messages. I tried the same instruction but unable to get counts. From below messages get counts depends and message value. Your help would be highly appreciated.
Consider message which ends with To Report. and get counts.
message contains "Parker could not be processed" - Failure count
message contains "Parker successfully issued" - Success Count
if message has Any other message : Partial Success
get total count Total Count.
PK11036791 : Parker successfully issued the 06/05/2021 renewal.,.To Report. |
PK11036918 : Parker successfully issued the 06/05/2021 renewal.,.To Report. |
PK11037082 : Parker successfully issued the 06/05/2021 renewal.,.To Report. |
PK01041601 : New activity on DRA for Michael Demiranda.,Please review new MVR information.,New PPA changes present.,Multiple Property policies present, please work HO.,.To Report. |
PK11032274 : Please review new MVR information.,.To Report. |
PK11036998 : Parker successfully issued the 06/05/2021 renewal.,.To Report. |
PK11041586 : New HO changes present.,Please review new MVR information.,New PPA changes present.,.To Report. |
PK11004163 : New HO changes present.,New PPA changes present.,.To Report. |
PK11014724 : New PPA changes present.,.To Report. |
PK11041665 : New HO changes present.,Please review new MVR information.,New PPA changes present.,.To Report. |
Parker could not be processed, please work PK Renewal. To Report. |
Parker could not be processed, please work PK Renewal. To Report. |
This thread has an accepted solution. Please post a new question and include the query you've tried.
Sure, thanks.