Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Multiple where count > in the same string

sanorthrup
Path Finder
‎08-26-2016 05:18 AM

We always see some failures in our logs. But when we have an issue, the number of failures goes thru the roof. I'm trying to combine all the failures types and the threshold we've specified into a single search. I can create a bunch of individual searches/alerts, but I'd really like to combine them.
Here's a single/working one:
index=foo "FailureReason=24403" earliest=-30m | stats count by host | where count >20

Here's where I attempted to combine two
index=foo earliest=-30m | stats count by host where count(FailureReason=24403) >20 OR count(FailureReason=22056) > 500

But obviously something is wrong with my search/syntax. Can anyone help please?

Thanks

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Nicolo_Figiani
Path Finder
‎08-26-2016 06:29 AM

Hi,
the following one should work:

index=foo earliest=-30m
| stats count(eval(FailureReason=24403)) AS fr_24403, count(eval(FailureReason=22056)) AS fr_22056 by host
| where fr_24403>20 AND fr_22056>500

As you can see stats command can do pretty neat tricks but its syntax is not really straightorward. more info here: stats extended examples

Hope it helps,
regards

View solution in original post

Reply
Solved! Jump to solution

sanorthrup
Path Finder
‎08-26-2016 08:00 AM

Sorry guys, neither of the above work. One user recommended that I try:

index=foo earliest=-30m
 | rex field=_raw "FailureReason\=(?[\d]+)"
 | search FailureReason=*
 | stats count by host, FailureReason
 | where (FailureReason=24403 and count > 20) OR (FailureReason=22056 and count > 500)

Which is the only one so far that works

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎08-26-2016 07:22 AM

Try this

index=foo (FailureReason=24403 OR FailureReason=22056) earliest=-30m | chart count over host by FailureReason | where 24403>20 OR 22056>500
Reply
Solved! Jump to solution
Solution

Nicolo_Figiani
Path Finder
‎08-26-2016 06:29 AM

Hi,
the following one should work:

index=foo earliest=-30m
| stats count(eval(FailureReason=24403)) AS fr_24403, count(eval(FailureReason=22056)) AS fr_22056 by host
| where fr_24403>20 AND fr_22056>500

As you can see stats command can do pretty neat tricks but its syntax is not really straightorward. more info here: stats extended examples

Hope it helps,
regards

Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...