Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is stats count on multi-line events giving me a wrong answer ?

ryantzj
Explorer
‎05-04-2015 01:28 AM

I have been trying to get splunk work with the switch log to show availability of ports divided by its device name, interface and hardware types with the query below 

sourcetype=nexus_switch | rex field=_raw max_match=1000000 "(?m)(?P<Begin>(Ethernet\d\S+).*  
\s.*  
\s.*  
)" | rex field=Begin "(?PEthernet\d\S+)\sis\s(?P.*)  
\s.*  
\s+Hardware(\sis|:)\s(?P.*)," |  stats count by DeviceName, interface, hardware_type, status

But it shows an incorrect count of 10,000+ total interface where i have only 800. Below is a snippet of my log, line break by the long underscore line, every event contain about 20+ interface. 

    ___________________________________________________________________________  

akcfj-sfe-gere (22.23.1.13):  



--------------  

term len 0  

--------------  



--------------  

show interface  

--------------  


Ethernet1/1 is up  

     Dedicated Interface   

      Hardware: 1000/10000 Ethernet, address: 0032.7321.b738 (bia 0032.7321.b738)  

      Description: NP2:*** akcfj-sfe-gere Ten3/1 ***  

      MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec  

      reliability 255/255, txload 1/255, rxload 1/255  

      Encapsulation ARPA  

      Port mode is trunk  

      full-duplex, 10 Gb/s, media type is 10G  

      Beacon is turned off  

      Input flow-control is off, output flow-control is off  

      Rate mode is dedicated  

      Switchport monitor is off   

      EtherType is 0x8100   

      Last link flapped 23week(s) 3day(s)  

      Last clearing of "show interface" counters never  

      30 seconds input rate 75332208 bits/sec, 8743 packets/sec  

      30 seconds output rate 11084936 bits/sec, 3769 packets/sec  

      Load-Interval #2: 5 minute (300 seconds)  

        input rate 68.78 Mbps, 8.81 Kpps; output rate 11.02 Mbps, 4.28 Kpps  

      RX  

        307056506315 unicast packets  331016646 multicast packets  81428671 broadcast packets  

        307468951632 input packets  325254018013003 bytes  

        200664768545 jumbo packets  0 storm suppression packets  

        0 runts  0 giants  0 CRC  0 no buffer  

        0 input error  0 short frame  0 overrun   0 underrun  0 ignored  

        0 watchdog  0 bad etype drop  0 bad proto drop  0 if down drop  

        0 input with dribble  0 input discard  

        0 Rx pause  

      TX  

        253672222513 unicast packets  30735817 multicast packets  20055695 broadcast packets  

        253723014025 output packets  203569881588917 bytes  

        119425086337 jumbo packets  

        0 output errors  0 collision  0 deferred  0 late collision  

        0 lost carrier  0 no carrier  0 babble 0 output discard  

        0 Tx pause  

      1 interface resets
Tags (3)
0 Karma
Reply

woodcock
Esteemed Legend
‎05-12-2015 12:59 PM

I think what you are trying to do is count things within each event, but what you are doing is counting things across events. To count things within events, you need to something like this ... | eval numInterfaces=mvcount(interface). If you will be VERY clear about EXACTLY what you are trying to do, I can help you more but I think this is the crux of your problems.

0 Karma
Reply

woodcock
Esteemed Legend
‎11-04-2015 01:01 PM

Did this work?

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎05-04-2015 02:55 AM

Hi ryantzj,

have you tested any of the apps provided https://splunkbase.splunk.com/apps/#/page/1/search/nexus/order/relevance they will do all the field extractions from nexus logs for you....

cheers, MuS

0 Karma
Reply

ryantzj
Explorer
‎05-04-2015 03:31 AM

Hi MuS,

Thanks for the suggestion, but apparently the log format are not supported by the cisco nexus add on... any workaround for this ?

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

 Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team for an ...

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...