Solved: Re: search pattern sum count if it repeated more t...

harsush · ‎12-17-2020

Hi Team,

index=AA source=*XXX.log
| rex field=_raw "- (?<uc>U(\d{7}|\d{8})) "
| rex field=uc "(?<ul5>\d{5})$"
| rex "[^\w](?<JOB>(?<env>[A-Z0-9@_#]+)\.[A-Z0-9@_#]+\.[A-Z0-9@_#]+\.(?<app>[A-Z0-9@_#]+\.[A-Z0-9@_#]+)\.[A-Z0-9@_#]+)"
| search env=* app=* JOB=*DEV.* ul5=*11007*
| stats count as "Alert Count" by JOB
| sort - "Alert Count"

with abv search i can get count of jobs which has ul5=*11007* for a given period of time

example for 7 days i got below output from abv search

JOB Alert Count
DEV.JOBS.Temp1 18
DEV.JOBS.Temp2 11
DEV.JOBS.Temp3 7

from abv i know DEV.JOBS.Temp1 has count 18, But this job has repeated only on 1 day not all days in 7 days

How can i find count of a Job if it repeated only for multiple days
example

14-dec-2020 DEV.JOBS.Temp1 ul5=*11007* count 2
14-dec-2020 DEV.JOBS.Temp2 ul5=*11007* count 11
15-dec-2020 DEV.JOBS.Temp1 ul5=*11007* count 10
15-dec-2020 DEV.JOBS.Temp2 ul5=*11007* count 21
16-dec-2020 DEV.JOBS.Temp1 ul5=*11007* count 3
16-dec-2020 DEV.JOBS.Temp2 ul5=*11007* count 6
17-dec-2020 DEV.JOBS.Temp1 ul5=*11007* count 2
17-dec-2020 DEV.JOBS.Temp2 ul5=*11007* count 11
18-dec-2020 DEV.JOBS.Temp1 ul5=*11007* count 10
18-dec-2020 DEV.JOBS.Temp2 ul5=*11007* count 21
19-dec-2020 DEV.JOBS.Temp1 ul5=*11007* count 3
19-dec-2020 DEV.JOBS.Temp2 ul5=*11007* count 6
19-dec-2020 DEV.JOBS.Temp3 ul5=*11007* count 6

If i do search i should get out put as below -- for the jobs it should show 5 why because its repeated for 5 days.
JOB Alert Count
DEV.JOBS.Temp1 5
DEV.JOBS.Temp2 5
DEV.JOBS.Temp3 1

Thanks

harsush · ‎12-18-2020

It worked you are really Super fast @renjith_nair Thanks -- One last help

We can pull the day with date_wday -- Along with date is it possible to show the day also like shown in the below .

JOB	11/12/2020(Friday)	12/12/2020(Saturday)	13-12-2020(Sunday)	14-12-2020(Monday)	15-12-2020(Tuesday)	16-12-2020(Wednesday)	17-12-2020(Thrusday)	18-12-2020(Friday)	Total
Job1		8	10						18
Job2	1	1		1	2	2	3		10

View solution in original post

renjith_nair · ‎12-18-2020

Try

index=AA source=*XXX.log
| rex field=_raw "- (?<uc>U(\d{7}|\d{8})) "
| rex field=uc "(?<ul5>\d{5})$"
| rex "[^\w](?<JOB>(?<env>[A-Z0-9@_#]+)\.[A-Z0-9@_#]+\.[A-Z0-9@_#]+\.(?<app>[A-Z0-9@_#]+\.[A-Z0-9@_#]+)\.[A-Z0-9@_#]+)"
| search env=* app=* JOB=*DEV.* ul5=*11007*
| eval date=strftime(_time,"%d-%m-%Y")
| stats count by date,JOB
| stats count by JOB

First stats should give you a count by date and JOB and second stats should aggregate based on the JOB

---
What goes around comes around. If it helps, hit it with Karma 🙂

harsush · ‎12-18-2020

I never thought of putting another stats ur awesome -- Thanks a lot @renjith_nair .

Is it possible to add a date as column and get the count for each date along with sum of all dates count @renjith_nair

Job	Count	15-Dec-20	16-Dec-20	17-Dec-20	18-Dec-20	19-Dec-2020
Job1	6	1	2	1	1	1

renjith_nair · ‎12-18-2020

Glad it worked. You may 👍 for the replies which helped you 🙂

Yes, its possible

Just add this after the stats command which gives you details per job and date

"Your search"
|xyseries Job,date,count| addtotals row=true

---
What goes around comes around. If it helps, hit it with Karma 🙂

harsush · ‎12-18-2020

It worked you are really Super fast @renjith_nair Thanks -- One last help

We can pull the day with date_wday -- Along with date is it possible to show the day also like shown in the below .

JOB	11/12/2020(Friday)	12/12/2020(Saturday)	13-12-2020(Sunday)	14-12-2020(Monday)	15-12-2020(Tuesday)	16-12-2020(Wednesday)	17-12-2020(Thrusday)	18-12-2020(Friday)	Total
Job1		8	10						18
Job2	1	1		1	2	2	3		10

search pattern sum count if it repeated more than a day

count

eval

stats

subsearch

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine

Are you a member of the Splunk Community?