Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

stats count or eval

Mike6960
Path Finder
‎06-04-2020 03:25 AM

I am trying to make an overview with different counts. The message always starts with :

logger="blahblah-main.Start*"

Some will go in error and then they will apear with:

logger="blahblah.Exception"
The difficult thing is that I want the unique ID's, so some messages will have an retry in both loggers.I tried to use dedup but then I will miss messages when they are in both loggers. I hope someone can make sense of my question....

search.... logger="blahblah-main.Start*" OR logger="blahblah.Exception" |dedup message.MessagId|dedup message.BusinessId |chart count by logger

Labels (2)
Labels
Tags (2)
0 Karma
Reply

wmyersas
Builder
‎06-04-2020 06:22 AM

@richgalloway is right - without real sample data, we're not going to be able to help you as well as we could otherwise

We need you to supply sample data

That said, here's a possible guess as to what you're trying to do:

index=ndx sourcetype=srctp logger="blahblah-main.Start" OR logger="blahblah.Exception"
| stats values(message.MessageId) as MessageId values(message.BusinessId) as BusinessId by logger
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-04-2020 06:02 AM

Please share complete examples of error and non-error messages. Let us know where to find the MessageId and BusinessId fields.

---
If this reply helps you, Karma would be appreciated.
Reply

Mike6960
Path Finder
‎06-04-2020 08:01 AM

Hi, you are absolutely right but I find it difficult to supply samples. The situation is that there is a chain of events, every event starts with the logger "start" when the event cannot be distrtibuted it ends in an exception. Every event contains a messageid en sometimes a businessid. The messageid is unique for every string of events, this can be 2 events of 100. In case of an error there will be retries with the same messageid. I need the count of the unique id's that have been started en the count of the id's that had an exception. Both dedupped.

Message.ID LOGGER LOGGER

1           “start”
2        “start”
3        “start”
3                              "Exception"
3                              "Exception"  
4       "Start"
5        "Start"        
5                               "Exception"     
6   "Start"
7   "Start"
0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...