Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Multiple where count > in the same string
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We always see some failures in our logs. But when we have an issue, the number of failures goes thru the roof. I'm trying to combine all the failures types and the threshold we've specified into a single search. I can create a bunch of individual searches/alerts, but I'd really like to combine them.
Here's a single/working one:
index=foo "FailureReason=24403" earliest=-30m | stats count by host | where count >20
Here's where I attempted to combine two
index=foo earliest=-30m | stats count by host where count(FailureReason=24403) >20 OR count(FailureReason=22056) > 500
But obviously something is wrong with my search/syntax. Can anyone help please?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
the following one should work:
index=foo earliest=-30m
| stats count(eval(FailureReason=24403)) AS fr_24403, count(eval(FailureReason=22056)) AS fr_22056 by host
| where fr_24403>20 AND fr_22056>500
As you can see stats command can do pretty neat tricks but its syntax is not really straightorward. more info here: stats extended examples
Hope it helps,
regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry guys, neither of the above work. One user recommended that I try:
index=foo earliest=-30m
| rex field=_raw "FailureReason\=(?[\d]+)"
| search FailureReason=*
| stats count by host, FailureReason
| where (FailureReason=24403 and count > 20) OR (FailureReason=22056 and count > 500)
Which is the only one so far that works
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
index=foo (FailureReason=24403 OR FailureReason=22056) earliest=-30m | chart count over host by FailureReason | where 24403>20 OR 22056>500
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
the following one should work:
index=foo earliest=-30m
| stats count(eval(FailureReason=24403)) AS fr_24403, count(eval(FailureReason=22056)) AS fr_22056 by host
| where fr_24403>20 AND fr_22056>500
As you can see stats command can do pretty neat tricks but its syntax is not really straightorward. more info here: stats extended examples
Hope it helps,
regards
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
