Solved: How to segregate the count or limit the count to 1...

Aj01 · ‎06-01-2023

index="go_pro" Appid="APP-5f" prod (":[ Axis" OR "ErrorCode" OR "System Error" OR "Invalid User :")
| rex field=_raw "ErrorDesc\:\s(?<error_caused_by>.*?)\Z"
| rex field=_raw "calldm\(\)\s\:\[\s(?<error_caused_by>.*?)\Z"
| rex field=_raw "app5f\-(?<Environment>.*?)\-\Z"
| convert timeformat="%m-%d-%Y %I:%M:%S" ctime(_time) AS time
| stats count by time error_caused_by Environment host
| reverse

i am using this query but in count some transactions are matching so the count is getting to 5 or 6 because that transaction were matching i want every transaction to come on different line if they are matching also.

PLease help me in segregating the count or limit the count to 1

Aj01 · ‎06-21-2023

i have used table instead of stats and now we are not seeing that issue as the events are not merging now

View solution in original post

Aj01 · ‎06-21-2023

i have used table instead of stats and now we are not seeing that issue as the events are not merging now

ITWhisperer · ‎06-01-2023

You don't appear to have extract anything that identifies the transaction. You would need to do this and add it to the by clause of your stats command to split the transactions into separate "lines"

Aj01 · ‎06-01-2023

I am using by clause but because of the same time and transaction they are coming as aggregated for transactions, i want to remove that aggregation

ITWhisperer · ‎06-01-2023

Perhaps if you shared some anonymised events which demonstrate the issue you are facing, we might be better placed to advise. Please use the code block </> button when inserting event data so that formatting (e.g. white spaces) of the event is preserved.

How to segregate the count or limit the count to 1?

count

rex

stats

.conf25 Community Recap

Splunk App Developers | .conf25 Recap & What’s Next

Congratulations to the 2025-2026 SplunkTrust!

Are you a member of the Splunk Community?