- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Search query result from two log statements.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Search query result from two log statements.
Hi,
I wanted to search result as count from two log statements.
one log statement has value "...Out of stock ..."
and another log statement has "DF Suppressed"
I wanted to get count of these two for transaction for past 10 days. Each log statement prints with a transactionId.
This is the one I have for only one item
index=idp_* "DF Suppressed" | dedup x_TraceId | stats count as DF_Supress_count | where DF_Supress_count>0
But I want to include "Out of stock" to the query
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe something like this:
index=idp_* ("DF Suppressed" OR "Out of stock") transactionId=*
| rex field=_raw ".+(?<dfsuppressed>DF Suppressed)"
| rex field=_raw ".+(?<outofstock>Out of stock)"
| stats count(outofstock) as oosCount count(dfsuppressed) as dfsCount by transactionId
Add additional filtering later - for example:
| where dfsCount>0 AND oosCount>0
...or whatever else you might like.
This will create two new fields - dfsuppressed and outofstock - which will either have the text you're looking for in them, or be null.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your answer.
Your search criteria ran without any errors but I see only Out of Stock(oosCount ) counts and 0 count for dfsCount.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Add a |fillnull between the second | rex line and the | stats thusly:
index=idp_* ("DF Suppressed" OR "Out of stock") transactionId=*
| rex field=_raw ".+(?<dfsuppressed>DF Suppressed)"
| rex field=_raw ".+(?<outofstock>Out of stock)"
| fillnull
| stats count(outofstock) as oosCount count(dfsuppressed) as dfsCount by transactionId
You may have events where one or the other of the rex lines isn't pulling an actual value, so it's getting null. Adding a | fillnull will put the value of 0 in any otherwise-null fields.
Also, make sure that the exact text is correct on the rex lines (eg "Out of stock" vs "Out Of Stock")
Introducing the Splunk Community Dashboard Challenge!
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
