Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

stats count or eval

Mike6960
Path Finder
‎06-04-2020 03:25 AM

I am trying to make an overview with different counts. The message always starts with :

logger="blahblah-main.Start*"

Some will go in error and then they will apear with:

logger="blahblah.Exception"
The difficult thing is that I want the unique ID's, so some messages will have an retry in both loggers.I tried to use dedup but then I will miss messages when they are in both loggers. I hope someone can make sense of my question....

search.... logger="blahblah-main.Start*" OR logger="blahblah.Exception" |dedup message.MessagId|dedup message.BusinessId |chart count by logger

Labels (2)
Labels
Tags (2)
0 Karma
Reply

wmyersas
Builder
‎06-04-2020 06:22 AM

@richgalloway is right - without real sample data, we're not going to be able to help you as well as we could otherwise

We need you to supply sample data

That said, here's a possible guess as to what you're trying to do:

index=ndx sourcetype=srctp logger="blahblah-main.Start" OR logger="blahblah.Exception"
| stats values(message.MessageId) as MessageId values(message.BusinessId) as BusinessId by logger
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-04-2020 06:02 AM

Please share complete examples of error and non-error messages. Let us know where to find the MessageId and BusinessId fields.

---
If this reply helps you, Karma would be appreciated.
Reply

Mike6960
Path Finder
‎06-04-2020 08:01 AM

Hi, you are absolutely right but I find it difficult to supply samples. The situation is that there is a chain of events, every event starts with the logger "start" when the event cannot be distrtibuted it ends in an exception. Every event contains a messageid en sometimes a businessid. The messageid is unique for every string of events, this can be 2 events of 100. In case of an error there will be retries with the same messageid. I need the count of the unique id's that have been started en the count of the id's that had an exception. Both dedupped.

Message.ID LOGGER LOGGER

1           “start”
2        “start”
3        “start”
3                              "Exception"
3                              "Exception"  
4       "Start"
5        "Start"        
5                               "Exception"     
6   "Start"
7   "Start"
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...