Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search count of multiple logs?

vishal_pcap
Explorer
‎01-16-2023 06:01 AM

How can I write a query like following? 

index=my_app
| eval userError="Error while fetching User"
| eval addressError = "Did not find address of user"
| stats count(userError) as totalUserErrors, count(addressError) as totalAddressErrors

Expected output: 

Error while fetching User 50
Did not find address of user 30
Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-16-2023 07:54 AM

Given that your event don't appear to have any structured fields, you could try counting matches of the _raw field

| stats count(eval(match(_raw,"Error while fetching Users"))) as userError count(eval(match(_raw,"No User address Found"))) as addressError

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-16-2023 06:11 AM

Is this what you are trying to do?

index=my_app
| stats count(eval(userError=="Error while fetching User")) as totalUserErrors, count(eval(addressError=="Did not find address of user")) as totalAddressErrors
0 Karma
Reply
Solved! Jump to solution

vishal_pcap
Explorer
‎01-16-2023 06:23 AM

The query doesn't return anything 😞  I wanted to have a tabular output - error message and number of times it appeared 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-16-2023 06:26 AM

Please share some of your events (in a code block using the </> formatting button), anonymised of course.

Also, share your current search, so we can see what you have tried so far..

0 Karma
Reply
Solved! Jump to solution

vishal_pcap
Explorer
‎01-16-2023 06:53 AM

So when I search the following query in splunk, it returns 50k+ records

index=xxxeks_prod_app cluster_name="xxxx-xxxxx-prod-eks-cluster-v1" container_name="xx*-service" "Error while fetching Users"

and I want to see the multiple error logs and their count (for the duration I have selected e.g. 30 minutes)
Here's what I have tried but it returned 0 count

index=xxxeks_prod_app cluster_name="xxxx-xxxxx-prod-eks-cluster-v1" container_name="xx*-service" | stats count(eval(userError=="Error while fetching Users")) as totalUserErrors
0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-16-2023 07:03 AM

It looks like the errorError field has not been extracted. 

0 Karma
Reply
Solved! Jump to solution

vishal_pcap
Explorer
‎01-16-2023 07:10 AM

How to extract that? 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-16-2023 07:13 AM

Please share some of your events (in a code block using the </> formatting button), anonymised of course.

0 Karma
Reply
Solved! Jump to solution

vishal_pcap
Explorer
‎01-16-2023 07:26 AM

oh yes, 

1/16/23
7:15:44.624 AM	
2023-01-16 07:15:44 AM [http-nio-8080-exec-8] [trace_id:  / span_id: ] ERROR jobTraceId= commandTraceId=   {X-B3-ParentSpanId=xxxxxx, X-B3-SpanId=xxxxx, X-B3-TraceId=xxxxx, X-Span-Export=false, parentId=xxxxx, spanExportable=false, spanId=xxxx, traceId=xxxxxxxxxxxx} com.demo.controller.UserController - Error while fetching Users participant and plan info details=Could not find any User for the userId=202961636 java.lang.IllegalArgumentException: Could not find any User for userId=202961636
	at com.demo.service.UserServiceV2.lambda$prepareUserInfo$4(UserServiceV2.java:520) ~[demo-data-rest-1.0.22.12.40.jar:?]
	at java.util.Optional.orElseThrow(Unknown Source) ~[?:?]
	at com.demo.service.UserServiceV2.prepareUserInfo(UserServiceV2.java:520) ~[demo-data-rest-1.0.22.12.40.jar:?]

host = ip-11-000-00-00.us-west-2.compute.internalsource = /var/log/containers/demo-v2-service-55f87cc4v2-v2service-78f8e0f8ff9689627faa4718f34578bd511913596cbf57.logsourcetype = kube:container:demo-v2-service

 

and 

2023-01-16 07:21:28 AM [http-nio-8080-exec-63] [trace_id:  / span_id: ] ERROR com.demo.service.PersonApiChunkService - Error while handling user: bae9877cf5ab433xx39fda32ffd9833exx6bf2 com.demo.exception.ResourceNotFoundException: No User address Found for personId=329813370 deviceId=7440501_P_192

host = ip-11-000-00-00.us-west-2.compute.internalsource = /var/log/containers/demo-v2-service-55f87cc4v2-v2service-78f8e0f8ff9689627faa4718f34578bd511913596cbf57.logsourcetype = kube:container:demo-v2-service
0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-16-2023 07:54 AM

Given that your event don't appear to have any structured fields, you could try counting matches of the _raw field

| stats count(eval(match(_raw,"Error while fetching Users"))) as userError count(eval(match(_raw,"No User address Found"))) as addressError
Reply
Solved! Jump to solution

vishal_pcap
Explorer
‎01-16-2023 08:09 AM

This works! 🙂 Thank you very much,  I have also figured out one more way to do this: 

| eval errorType=case(
   match(_raw, "Error while fetching Users"), "Error while fetching Users",
   match(_raw, "No User address Found"), "No User address Found"
) | stats count by errorType | table errorType, count

This gives me the table structure I wanted, the error message and count.  

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...