Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Looking for a faster search query: Count different platforms from somewhat same events

Bleepie
Communicator
‎10-07-2021 05:47 AM

Dear Splunk Community,

I have the following search:

 

index=websphere 200 OK POST

 

And I have different platforms that I find like this:

 

index=websphere 200 OK POST LINUX
index=websphere 200 OK POST Windows
index=websphere 200 OK POST zLinux

 

I am currently using the following query to count all 200 OK POST events per platform:

 

index=websphere 200 OK POST LINUX | stats count | rename count AS "Linux" | append [search index=websphere 200 OK POST WINDOWS | stats count | rename count AS "Windows"] | append [search index=websphere 200 OK POST ZLINUX | stats count | rename count AS "zLinux"]

 

This is just an example, I have way more platforms that I search like in the query above. I have two issues:

  • Its slow
  • It counts per platform and generates table headers horizontally that I don't want

Bleepie_0-1633610704587.png

I would like to change the above so that I get the following output:

Platform | Count

Linux | 24

Windows | 50

zLinux | 0

Also, using append search seems a bit devious. There must be a simpler, faster and better way to do this, but how?

Thanks in advance

 

EDIT: Please note that the results are all shown in _raw , there are no platform fields or anything generated

Labels (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-07-2021 07:58 AM

Try something like this

index=websphere 200 OK POST (LINUX OR WINDOWS OR ZLINUX) | eval Platform=case(searchmatch("LINUX"),"LINUX", searchmatch("WINDOWS"),"WINDOWS", true(),"ZLINUX") | stats count by Platform

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-07-2021 07:58 AM

Try something like this

index=websphere 200 OK POST (LINUX OR WINDOWS OR ZLINUX) | eval Platform=case(searchmatch("LINUX"),"LINUX", searchmatch("WINDOWS"),"WINDOWS", true(),"ZLINUX") | stats count by Platform
0 Karma
Reply
Solved! Jump to solution

Bleepie
Communicator
‎10-08-2021 12:34 AM

Thanks! Works like a charm! Not familiair with searchmatch but will look into it.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

New This Month - Observability Updates Give Extended Visibility and Improve User ...

This month is a collection of special news! From Magic Quadrant updates to AppDynamics integrations to ...

Intro to Splunk Synthetic Monitoring

In our last post, we mentioned that the 3 key pieces of observability – metrics, logs, and traces – provide ...