Solved: Re: count message types by facility

technoe · ‎02-10-2014

I need to know when a particular facility isn't passing a message type(s). In Powershell it would be as easy as, foreach($facility in $facilities) find message_types...however, sense Splunk doesn't have a foreach command, I'm not sure how to do this. The index contains a field called facility and a field called message_type. Let me know if you need more info.

Thanks!

somesoni2 · ‎02-10-2014

Try this

<your search providing list of message types (field coming here is message_type)> | join type=left max=0 message_type [search <your base search> | stats count by message_type, facilities] | fillnull count

Query updated to include max=0. try this one. Sample with considering you're using lookup table file.

 | lookup messagetypes.csv | fields message_type | join type=left max=0 message_type [search <your base search> | stats count by message_type, facilities] | fillnull count

View solution in original post

uuppuluri_splun · ‎03-07-2014

Splunk has a foreach command
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Foreach

technoe · ‎02-10-2014

That's really close. Unfortunately, it's only returning about 22 results. There should be hundreds.

somesoni2 · ‎02-10-2014

Try this

<your search providing list of message types (field coming here is message_type)> | join type=left max=0 message_type [search <your base search> | stats count by message_type, facilities] | fillnull count

Query updated to include max=0. try this one. Sample with considering you're using lookup table file.

 | lookup messagetypes.csv | fields message_type | join type=left max=0 message_type [search <your base search> | stats count by message_type, facilities] | fillnull count

technoe · ‎02-10-2014

That is it exactly! Thanks a ton. I've been working on this for a week straight.

somesoni2 · ‎02-10-2014

try the updated query.

technoe · ‎02-10-2014

I have a lookup file containing every file type but I don't know how to compare that to the results of the search.

theouhuios · ‎02-10-2014

Is there any information in the data which says a particular messsage_type isn't working in a facility? If not, then you might have to use some other methods like Lookup table where you use your existing list with splunk returned results and then compare the values to get the final result.

technoe · ‎02-10-2014

Let me say this another way. I have a list of known message types and I need to know that each facility is processing each message type over a period of time, if the message type count is 0 I need to know that.

technoe · ‎02-10-2014

That doesn't show me 0 values though. I need to compare the index to a list of known message types.

theouhuios · ‎02-10-2014

Please try this |stats count by message_type,facilities

technoe · ‎02-10-2014

Output should be a list of message_types per facility, including 0 count message_types ie:
message_type facilities count
type1 facility1 1
type2 3
type3 0

type1                      facility2                 2

etc....

somesoni2 · ‎02-10-2014

Check splunk's map search command which provides foreach loop. Also, provide sample data/expected output.

count message types by facility

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation