Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Search to Consolidate similar messages into one?

Vani_26
Path Finder
‎03-15-2023 01:45 PM

Query:
index=xxx  application_code=mobile  NOT   feature 
|stats count by code message
|sort -count
|eval message-substr(message, 1, 40)

output:

code message count
mobile-job-115 application error occured 100
mobile-app-180 application is stable 240
app-job-800 information good 34
project-job-100 system error occured 10
project-job-100    system error occured 20
project-job-100    system error occured 34
project-job-100    system error occured 23
project-job-100    system error occured 50


 expected output:

code message count
mobile-job-115 application error occured 100
mobile-app-180 application is stable 240
app-job-800 information good 34
project-job-100 system error occured 137


 i want to get my table display count as one value for similar messages like for example(system error occured) as shown above.

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-15-2023 02:15 PM

And who says you can't do

| stats sum(count) ...

after what you already have?

But on the other hand - why not just do the substr() earlier in the pipeline?

0 Karma
Reply

Vani_26
Path Finder
‎03-15-2023 02:27 PM

Hi  @PickleRick 

i tried sum(count) but its not coming.
no values are displaying under count

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-16-2023 01:15 AM

Unless you rename the resulting column, it will be called sum(count), not count anymore.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...