Splunk Search

How to segregate the count or limit the count to 1?

Aj01
Path Finder

index="go_pro" Appid="APP-5f" prod (":[ Axis" OR "ErrorCode" OR "System Error" OR "Invalid User :")
| rex field=_raw "ErrorDesc\:\s(?<error_caused_by>.*?)\Z"
| rex field=_raw "calldm\(\)\s\:\[\s(?<error_caused_by>.*?)\Z"
| rex field=_raw "app5f\-(?<Environment>.*?)\-\Z"
| convert timeformat="%m-%d-%Y %I:%M:%S" ctime(_time) AS time
| stats count by time error_caused_by Environment host
| reverse

 

i am using this query but in count some transactions are matching so the count is getting to 5 or 6 because that transaction were matching i want every transaction to come on different line if they are matching also.

PLease help me in segregating the count or limit the count to 1

Labels (3)
0 Karma
1 Solution

Aj01
Path Finder

i have used table instead of stats and now we are not seeing that issue as the events are not merging now

View solution in original post

0 Karma

Aj01
Path Finder

i have used table instead of stats and now we are not seeing that issue as the events are not merging now

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You don't appear to have extract anything that identifies the transaction. You would need to do this and add it to the by clause of your stats command to split the transactions into separate "lines"

0 Karma

Aj01
Path Finder

I am using by clause but because of the same time and transaction they are coming as aggregated for transactions, i want to remove that aggregation

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Perhaps if you shared some anonymised events which demonstrate the issue you are facing, we might be better placed to advise. Please use the code block </> button when inserting event data so that formatting (e.g. white spaces) of the event is preserved.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...