Splunk Search

How to search the count of two strings in two separate lines in our sample log files?

runiyal
Path Finder

I need to search two strings within the set of rows of the log file. I have a process running for the new webscript - Catalina-exec-7 and need to see the count of all such events where we have "source=vendor" from the querystring (row 4 in the sample log below) and "Bill Uploaded successfully" from the second to last line.

2016-10-20 17:51:47,207 INFO  [com.comp.app.webscripts.CompAbstractBaseWebscript.execute(CompAbstractBaseWebscript.java:66)] [catalina-exec-7] ****** NEW WEBSCRIPT REQUEST ******
Server Path: http://app.comp.com:80
Service Path: /app/service/ccomp/bill/policy/BillUpload
Query String: isHidden=false&sensitive=unrestricted&Amount=200&**source=vendor**&name=20161020_123.TIF&mimeType=image
2016-10-20 17:51:47,207 INFO  [com.comp.bill.webscripts.BillUploadWebscript.executeWS(BillUploadWebscript.java:38)] [catalina-exec-7] ***** New Bill Upload request Started *****
2016-10-20 17:51:47,209 DEBUG [comp.common.util.CitizensUploadUtilImpl.getUploadProps(CitizensUploadUtilImpl.java:245)] [catalina-exec-7] Adding content properties to object map.
2016-10-20 17:51:47,209 INFO  [com.comp.bill.BillServiceImpl.processBillUploadRequest(BillServiceImpl.java:136)] [catalina-exec-7] Begin - processBillingUploadRequest method
2016-10-20 17:51:47,210 INFO  [com.comp.bill.BillServiceImpl.fetchParentNodeRef(BillServiceImpl.java:177)] [catalina-exec-7] ## fetchParentNodeRef method 
2016-10-20 17:51:47,222 DEBUG [comp.common.util.CompFolderUtilImpl.buildContentPath(CompFolderUtilImpl.java:121)] [catalina-exec-7] Path toString: [Comp, Bill, 00, 54, 89, 66, 02]
2016-10-20 17:51:47,222 TRACE [comp.common.util.CompFolderUtilImpl.buildContentPath(CompFolderUtilImpl.java:136)] [catalina-exec-7] Currently processing: Comp
2016-10-20 17:51:47,225 TRACE [comp.common.util.CompFolderUtilImpl.buildContentPath(CompFolderUtilImpl.java:136)] [catalina-exec-7] Currently processing: Bill
2016-10-20 17:51:47,229 TRACE [comp.common.util.CompFolderUtilImpl.buildContentPath(CompFolderUtilImpl.java:136)] [catalina-exec-7] Currently processing: 00
2016-10-20 17:51:47,231 TRACE [comp.common.util.CompFolderUtilImpl.buildContentPath(CompFolderUtilImpl.java:136)] [catalina-exec-7] Currently processing: 54
2016-10-20 17:51:47,232 TRACE [comp.common.util.CompFolderUtilImpl.buildContentPath(CompFolderUtilImpl.java:136)] [catalina-exec-7] Currently processing: 89
2016-10-20 17:51:47,264 TRACE [comp.common.util.CompFolderUtilImpl.buildContentPath(CompFolderUtilImpl.java:136)] [catalina-exec-7] Currently processing: 66
2016-10-20 17:51:47,289 TRACE [comp.common.util.CompFolderUtilImpl.buildContentPath(CompFolderUtilImpl.java:136)] [catalina-exec-7] Currently processing: 02
016-05-18 17:51:47,426 DEBUG [comp.common.util.CompUploadUtilImpl.doCheckAspectProcess(CompUploadUtilImpl.java:283)] [catalina-exec-7] Checking for check parameters
2016-10-20 17:51:47,427 DEBUG [com.comp.bill.webscripts.BillUploadWebscript.executeWS(BillUploadWebscript.java:59)] [catalina-exec-7] **Bill Uploaded successfully**
2016-10-20 17:51:47,427 INFO  [com.comp.bill.webscripts.BillUploadWebscript.executeWS(BillUploadWebscript.java:79)] [catalina-exec-7] ************ Bill Upload end ************

Ultimately, we need a count of all the "Bill Uploaded successfully" where the "source=vendor"

Thanks!

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a try

index=foo sourcetype=bar ("NEW WEBSCRIPT REQUEST" AND "source=vendor") OR "Bill Uploaded successfully"
| eval counter=if(searchmatch("NEW WEBSCRIPT REQUEST"),1,0) | eval isVendor=if(searchmatch("source=vendor"),1,0)| accum counter
| stats sum(isVender) as vendorBill by counter | where vendorBill=1 | stats count

OR

index=foo sourcetype=bar ("NEW WEBSCRIPT REQUEST") OR "Bill Uploaded successfully"
| transaction startswith="NEW WEBSCRIPT REQUEST" endswith="Bill Uploaded successfully"
| where searchmatch("source=vendor") | stats count
0 Karma

Raghav2384
Motivator

Hello @runiyal

Method #1:You can extract the source values to a extracted field and then apply the condition after extraction.

Example: Sourcename is the field you extract and you can simply ask splunk to |search Sourcename=vendor which will limit it to the events that contain that field

Method # 2: use a combination of eval , match function and the condition you want.

Method#3: use stats and eval combination with a AND condition (If both conditions you are looking for are key pairs)

Hope this helps,
Thanks,
Raghav

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...