×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
john-de
Observer
Member since: ‎06-08-2023
‎06-08-2023
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎06-08-2023
View All

Re: How to find frequency of the same log messages

by SplunkTrust in Splunk Search
‎06-08-2023 11:59 AM
‎06-08-2023 11:59 AM
Well, this is an issue with log parsing. Properly onboarded logs should have defined extractions. Those extractions are responsible for "splitting" the event into fields (it's not precisely splitting since same part of the event can be referenced in more than one field). You can extract fields ad hoc using the "rex" command and then stats like <your search> | rex "(?<mylog>this is log.*)" And then doing the stats | stats count by mylog But it's usually better to have fields extracted automatically by splunk. If you're searching in verbose mode, all fields extracted from a single event should show when you expand this event. (Fast mode only shows fields explicitly used in your search and some default fields). You can also check which fields are extracted from your event by <your_search> ```we don't want to clutter the display so we get just one event``` | head 1 ```show all fields``` | table * ```pivot it around so we have a nice list``` | transpose 0 column_name=field | rename "col 1" as value ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-08-2023 08:23 PM