Splunk Search

total similar events

Michael_Schyma1
Contributor

I am having problems trying to keep a sum of similar events in a field called 'count.' This field should group events with the same 'err_transcation_id.' I usually just use the top function for this, but i can for this search because the some fields should be left intentially blank and when i use that command it only grabs the fields that have everything.

Here is my search:

index=mainframeapps sourcetype="MainframeApps" NOT (Hosted="A390" OR "CPUC" OR "SYSE" OR "CPUE" OR "IPO1" OR "CPUB" OR "CPUA") NOT PENV*| table count, Hosted, err_job_name, err_id, environment, app_defined_key2, app_id, err_transaction_id, msg, err_call_chain |rename msg AS "Record Info" err_call_chain AS "Call Chain" Hosted AS "Hostname" environment AS "Service ID" err_transaction_id AS "Error Transaction ID" err_id AS "Error ID" app_id AS "Application ID" count AS "Count" percent AS "Percent" err_job_name AS "Error Job Name"| rex mode=sed field="Hosted" "s/\'//g"   | rex mode=sed field="Error Job Name" "s/\'//g"   | rex mode=sed field="Error ID" "s/\'//g"   | rex mode=sed field="Service ID" "s/\'//g"  | rex mode=sed field="Application ID" "s/\'//g"   | rex mode=sed field="Error Transaction ID" "s/\'//g" | rex mode=sed field="Record Info" "s/\'//g"   | rex mode=sed field="Call Chain" "s/\'//g"

This should be a pretty easy for some of you, but i am not having much luck with the stats command. Thank you guys so much.

Tags (1)
0 Karma

dart
Splunk Employee
Splunk Employee

I'd suggest you keep using the stats or top as before, but fill in the blanks with the fillnull command.

0 Karma

jonuwz
Influencer

what stats command are you trying to run? or what output are you trying to get ?

0 Karma

Michael_Schyma1
Contributor

If anymore information is needed, please just reachout. THX

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...