Splunk Search

How to get the count of the number of duplicates that have been eliminated using dedup

marty1234
Engager

There are many failures in my logs and many of them are failing for the same reason. I am using this query to see the unique reasons:

index=myIndexVal log_level="'ERROR'" | dedup reason, desc | table reason, desc

I also want a count next to each row saying how many duplicates there were for that reason. Basically I want a frequency count of each type of failure. I am a complete beginner and am in no way married to the above command, in fact the count doesn't even have to be in the table generated by the above query, I just need the numbers and the failure types, it doesn't have to be pretty or anything.

All the other posts I'm seeing seem to require me to know all the failure reasons, as in there needs to be some limited number that I can put into the query, but thats not feasible in my situation.
Thank you in advance.

0 Karma
1 Solution

adonio
Ultra Champion

try this:

index=myIndexVal log_level="'ERROR'" | stats count by reason, desc

View solution in original post

adonio
Ultra Champion

try this:

index=myIndexVal log_level="'ERROR'" | stats count by reason, desc

Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...