Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

counting occurences of a string in the log message

tomasv
Explorer
‎06-23-2012 07:58 AM

Our logs contain some multi-line messages (e.g. a list of tasks running) that look like this

ID, state, comment
1544, sleep, 'not doing anything'
2547, working, 'executing task ...'
3514, sleep, 'not doing anything'
7877, working, 'executing task ...'

I need to count how many tasks were running / sleeping - I thought I could simply count 'sleep' occurrences, but I can't find a suitable command / function. How to do that?

0 Karma
Reply

Drainy
Champion
‎06-23-2012 09:51 AM

Ok, so I dumped your data into a log file just to test.
First of all I assume you haven't done any extraction so you want to use multikv to extract the values against the header fields. Next you can just do a search to filter down to those values and then count them, like so;

sourcetype=mvdata | multikv | search state=" sleep" | stats count

Note that sleep has been extracted with a space before it, you could fix this with rex but I'll leave that for you to have a play with and come back if you get stuck 🙂

Is that what you were after?
You could always do a | stats count by state to count the different states if you wanted.

EDIT:

Ok, so there are a couple of ways to do that, here is one that I've quickly thrown together that should work;

| multikv | stats count by state,_time | transaction _time
Reply

Drainy
Champion
‎06-23-2012 10:52 AM

Ah, I'll pop an update above

0 Karma
Reply

tomasv
Explorer
‎06-23-2012 10:12 AM

Thanks, although I've just noticed that my question was ambiguous.
My goal was to get something like '5 rows with Sleep state, 1 in Active state' for each multi-line message.

This works a bit differently (if I unterstand it correctly), i.e. it splits the multi-line log into independent log messages and then I can search those to get "global counts".

In the end it gives me most of the info I needed (how many 'Sleep' or 'Active' messages were there through the day) but if possible I'd like to know e.g. the number of 'Sleep-only' messages etc.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...