Splunk Search

counting occurences of a string in the log message


Our logs contain some multi-line messages (e.g. a list of tasks running) that look like this

ID, state, comment
1544, sleep, 'not doing anything'
2547, working, 'executing task ...'
3514, sleep, 'not doing anything'
7877, working, 'executing task ...'

I need to count how many tasks were running / sleeping - I thought I could simply count 'sleep' occurrences, but I can't find a suitable command / function. How to do that?

0 Karma


Ok, so I dumped your data into a log file just to test.
First of all I assume you haven't done any extraction so you want to use multikv to extract the values against the header fields. Next you can just do a search to filter down to those values and then count them, like so;

sourcetype=mvdata | multikv | search state=" sleep" | stats count

Note that sleep has been extracted with a space before it, you could fix this with rex but I'll leave that for you to have a play with and come back if you get stuck 🙂

Is that what you were after?
You could always do a | stats count by state to count the different states if you wanted.


Ok, so there are a couple of ways to do that, here is one that I've quickly thrown together that should work;

| multikv | stats count by state,_time | transaction _time


Ah, I'll pop an update above

0 Karma


Thanks, although I've just noticed that my question was ambiguous.
My goal was to get something like '5 rows with Sleep state, 1 in Active state' for each multi-line message.

This works a bit differently (if I unterstand it correctly), i.e. it splits the multi-line log into independent log messages and then I can search those to get "global counts".

In the end it gives me most of the info I needed (how many 'Sleep' or 'Active' messages were there through the day) but if possible I'd like to know e.g. the number of 'Sleep-only' messages etc.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...