Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

stats count or eval

Mike6960
Path Finder
‎06-04-2020 03:25 AM

I am trying to make an overview with different counts. The message always starts with :

logger="blahblah-main.Start*"

Some will go in error and then they will apear with:

logger="blahblah.Exception"
The difficult thing is that I want the unique ID's, so some messages will have an retry in both loggers.I tried to use dedup but then I will miss messages when they are in both loggers. I hope someone can make sense of my question....

search.... logger="blahblah-main.Start*" OR logger="blahblah.Exception" |dedup message.MessagId|dedup message.BusinessId |chart count by logger

Labels (2)
Labels
Tags (2)
0 Karma
Reply

wmyersas
Builder
‎06-04-2020 06:22 AM

@richgalloway is right - without real sample data, we're not going to be able to help you as well as we could otherwise

We need you to supply sample data

That said, here's a possible guess as to what you're trying to do:

index=ndx sourcetype=srctp logger="blahblah-main.Start" OR logger="blahblah.Exception"
| stats values(message.MessageId) as MessageId values(message.BusinessId) as BusinessId by logger
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-04-2020 06:02 AM

Please share complete examples of error and non-error messages. Let us know where to find the MessageId and BusinessId fields.

---
If this reply helps you, Karma would be appreciated.
Reply

Mike6960
Path Finder
‎06-04-2020 08:01 AM

Hi, you are absolutely right but I find it difficult to supply samples. The situation is that there is a chain of events, every event starts with the logger "start" when the event cannot be distrtibuted it ends in an exception. Every event contains a messageid en sometimes a businessid. The messageid is unique for every string of events, this can be 2 events of 100. In case of an error there will be retries with the same messageid. I need the count of the unique id's that have been started en the count of the id's that had an exception. Both dedupped.

Message.ID LOGGER LOGGER

1           “start”
2        “start”
3        “start”
3                              "Exception"
3                              "Exception"  
4       "Start"
5        "Start"        
5                               "Exception"     
6   "Start"
7   "Start"
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...