Re: How to make whole Statement as a field?

jw44250 · ‎05-01-2017

I have a search base like below and want to put the count as 1.

index=index1 test machine is not responding java.lang.NullPointerException as "test" | stats  count by test | dedup test

My count is 0

somesoni2 · ‎05-01-2017

The stats commands works upon the fields. Assuming whatever string you've on base search you want to show count of it, Try one of following methods.

index=index1 test machine is not responding java.lang.NullPointerException | stats count  | eval test="test machine is not responding java.lang.NullPointerException " | table test count

OR

 index=index1 test machine is not responding java.lang.NullPointerException | rex "(?<test>test machine is not responding java.lang.NullPointerException)"  | stats count by test

jw44250 · ‎05-01-2017

Thanks. let me try it.

can i do soemthing like this, it works but not gettign any result
index=index1 test machine is not responding java.lang.NullPointerException as "testmachine" | stats count by testmachine

somesoni2 · ‎05-01-2017

No you can't. YOu can't assign a field name to a string. You would need to have it extracted (like option 2) before you could use it.

How to make whole Statement as a field?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation