How to search the count of two strings in two separate lines in our sample log files?


I need to search two strings within the set of rows of the log file. I have a process running for the new webscript - Catalina-exec-7 and need to see the count of all such events where we have "source=vendor" from the querystring (row 4 in the sample log below) and "Bill Uploaded successfully" from the second to last line.

2016-10-20 17:51:47,207 INFO  [com.comp.app.webscripts.CompAbstractBaseWebscript.execute(CompAbstractBaseWebscript.java:66)] [catalina-exec-7] ****** NEW WEBSCRIPT REQUEST ******
Server Path: http://app.comp.com:80
Service Path: /app/service/ccomp/bill/policy/BillUpload
Query String: isHidden=false&sensitive=unrestricted&Amount=200&**source=vendor**&name=20161020_123.TIF&mimeType=image
2016-10-20 17:51:47,207 INFO  [com.comp.bill.webscripts.BillUploadWebscript.executeWS(BillUploadWebscript.java:38)] [catalina-exec-7] ***** New Bill Upload request Started *****
2016-10-20 17:51:47,209 DEBUG [comp.common.util.CitizensUploadUtilImpl.getUploadProps(CitizensUploadUtilImpl.java:245)] [catalina-exec-7] Adding content properties to object map.
2016-10-20 17:51:47,209 INFO  [com.comp.bill.BillServiceImpl.processBillUploadRequest(BillServiceImpl.java:136)] [catalina-exec-7] Begin - processBillingUploadRequest method
2016-10-20 17:51:47,210 INFO  [com.comp.bill.BillServiceImpl.fetchParentNodeRef(BillServiceImpl.java:177)] [catalina-exec-7] ## fetchParentNodeRef method 
2016-10-20 17:51:47,222 DEBUG [comp.common.util.CompFolderUtilImpl.buildContentPath(CompFolderUtilImpl.java:121)] [catalina-exec-7] Path toString: [Comp, Bill, 00, 54, 89, 66, 02]
2016-10-20 17:51:47,222 TRACE [comp.common.util.CompFolderUtilImpl.buildContentPath(CompFolderUtilImpl.java:136)] [catalina-exec-7] Currently processing: Comp
2016-10-20 17:51:47,225 TRACE [comp.common.util.CompFolderUtilImpl.buildContentPath(CompFolderUtilImpl.java:136)] [catalina-exec-7] Currently processing: Bill
2016-10-20 17:51:47,229 TRACE [comp.common.util.CompFolderUtilImpl.buildContentPath(CompFolderUtilImpl.java:136)] [catalina-exec-7] Currently processing: 00
2016-10-20 17:51:47,231 TRACE [comp.common.util.CompFolderUtilImpl.buildContentPath(CompFolderUtilImpl.java:136)] [catalina-exec-7] Currently processing: 54
2016-10-20 17:51:47,232 TRACE [comp.common.util.CompFolderUtilImpl.buildContentPath(CompFolderUtilImpl.java:136)] [catalina-exec-7] Currently processing: 89
2016-10-20 17:51:47,264 TRACE [comp.common.util.CompFolderUtilImpl.buildContentPath(CompFolderUtilImpl.java:136)] [catalina-exec-7] Currently processing: 66
2016-10-20 17:51:47,289 TRACE [comp.common.util.CompFolderUtilImpl.buildContentPath(CompFolderUtilImpl.java:136)] [catalina-exec-7] Currently processing: 02
016-05-18 17:51:47,426 DEBUG [comp.common.util.CompUploadUtilImpl.doCheckAspectProcess(CompUploadUtilImpl.java:283)] [catalina-exec-7] Checking for check parameters
2016-10-20 17:51:47,427 DEBUG [com.comp.bill.webscripts.BillUploadWebscript.executeWS(BillUploadWebscript.java:59)] [catalina-exec-7] **Bill Uploaded successfully**
2016-10-20 17:51:47,427 INFO  [com.comp.bill.webscripts.BillUploadWebscript.executeWS(BillUploadWebscript.java:79)] [catalina-exec-7] ************ Bill Upload end ************

Ultimately, we need a count of all the "Bill Uploaded successfully" where the "source=vendor"


Hello @runiyal

Method #1:You can extract the source values to a extracted field and then apply the condition after extraction.

Example: Sourcename is the field you extract and you can simply ask splunk to |search Sourcename=vendor which will limit it to the events that contain that field

Method # 2: use a combination of eval , match function and the condition you want.

Method#3: use stats and eval combination with a AND condition (If both conditions you are looking for are key pairs)

Hope this helps,


Give this a try

index=foo sourcetype=bar ("NEW WEBSCRIPT REQUEST" AND "source=vendor") OR "Bill Uploaded successfully"
| eval counter=if(searchmatch("NEW WEBSCRIPT REQUEST"),1,0) | eval isVendor=if(searchmatch("source=vendor"),1,0)| accum counter
| stats sum(isVender) as vendorBill by counter | where vendorBill=1 | stats count


index=foo sourcetype=bar ("NEW WEBSCRIPT REQUEST") OR "Bill Uploaded successfully"
| transaction startswith="NEW WEBSCRIPT REQUEST" endswith="Bill Uploaded successfully"
| where searchmatch("source=vendor") | stats count
