Splunk Search

Search to Consolidate similar messages into one?

Vani_26
Path Finder

Query:
index=xxx  application_code=mobile  NOT   feature 
|stats count by code message
|sort -count
|eval message-substr(message, 1, 40)

output:

code message count
mobile-job-115 application error occured 100
mobile-app-180 application is stable 240
app-job-800 information good 34
project-job-100 system error occured 10
project-job-100    system error occured 20
project-job-100    system error occured 34
project-job-100    system error occured 23
project-job-100    system error occured 50


 expected output:

code message count
mobile-job-115 application error occured 100
mobile-app-180 application is stable 240
app-job-800 information good 34
project-job-100 system error occured 137


 i want to get my table display count as one value for similar messages like for example(system error occured) as shown above.

Labels (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

And who says you can't do

| stats sum(count) ...

after what you already have?

But on the other hand - why not just do the substr() earlier in the pipeline?

0 Karma

Vani_26
Path Finder

Hi  @PickleRick 

i tried sum(count) but its not coming.
no values are displaying under count

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Unless you rename the resulting column, it will be called sum(count), not count anymore.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...