Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search for a series of strings then count and display by host?

skiller1234
Explorer
‎05-03-2018 02:26 PM

Hello everybody!

Trying to search for a series of strings - then count and display by host. I got this far:

index=index host=*server* "failover" OR "Whatever" OR "screwup"
| rex "(?<error>failover)"
| rex "(?<error>Whatever)"
| rex "(?<error>screwup)"
| stats count by host,error
| xyseries error,host,count

So I get a chart like so:

error                     server1                       server2                  server3

screwup                10                                      11                            18

Which is what I want - but I only get the last result set (for screwup). I know all 3 have results. What am I doing wrong in creating my new field called error with 3 possible values?

Skiller

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

xpac
SplunkTrust
SplunkTrust
‎05-03-2018 10:22 PM

Change your rex like this:

| rex "(?(?:failover|Whatever|screwup))"

This should check all conditions in one. Else every rex line has the potential to overwrite the result from the line(s) before it. 😉

EDIT: Can there be more than one error in the same event?

In that case, do | rex max_match=0 "(?(?:failover|Whatever|screwup))"

View solution in original post

Reply
Solved! Jump to solution
Solution

xpac
SplunkTrust
SplunkTrust
‎05-03-2018 10:22 PM

Change your rex like this:

| rex "(?(?:failover|Whatever|screwup))"

This should check all conditions in one. Else every rex line has the potential to overwrite the result from the line(s) before it. 😉

EDIT: Can there be more than one error in the same event?

In that case, do | rex max_match=0 "(?(?:failover|Whatever|screwup))"

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎05-03-2018 03:34 PM

Please share some sample events.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...