Hi,

I have created a Splunk alert where it is taking the error strings from the log files and grouping the similar strings and giving the count of particular error strings. This alert is running for every 24 hours.

This is the search:

index=abc sourcetype=xyz error earliest=-24h@h latest=now| rex field=_raw "\] - (?[^|]+).*"| stats count by CompleteErrorString

So the final output is something like this:

CompleteErrorString                                                count

Client is not configured properly in the database                   22
Client is not having enough permission to access the application     7
SOAP Fault occurred                                                 14

So these are the three different error strings that got generated in the last 24 hours with their respective counts (number of times the string appeared in the log files) and I'm getting this whole output in an attached PDF which I had selected while creating the alert. Now my question: is there a way to get the total count of different error strings that are getting generated in the log files (here it is 3) along with the above output either in the attached PDF or in the alert mail body. When I am modifying the above search as:

index=abc sourcetype=xyz error earliest=-24h@h latest=now| rex field=_raw "\] - (?[^|]+).*"| stats count by CompleteErrorString|stats count as "Count of different error strings"

I am getting only the output as

Count of different error strings
3

But I want the combined output as something like this in the attached PDF or in the alert mail body:

Count of different error strings
3

CompleteErrorString                                                 count

Client is not configured properly in the database                     22
Client is not having enough permission to access the application       7
SOAP Fault occurred                                                   14

Any help on this will be greatly appreciated.