Solved: How do I search in the events message to count for...

splunkermm · ‎05-22-2023

Events:

Message = "This system has RPC error"
Message = "This system has login failure error"
Message = "This system has DCOM error"
Message = "This system has RPC error"
Message = "This system has login failure error"
Message = "This system has DCOM error"
Message = "This system has RPC error"
Message = "This system has login failure error"
Message = "This system has DCOM error"
Message = "This system has RPC remote error"
Message = "This system has login failure error"
Message = "This system has DCOM error"
Message = "This system has RPC error"
Message = "This system has login failure error"
Message = "This system has DCOM issue"
Message = "This system has RPC error"
Message = "This system has login failure error"
Message = "This system has DCOM error"
Message = "This system has login failure error"
Message = "This system has DCOM error"
Message = "This system has no error"
Message = "This system has fatal error"
Message = "This system has no fatal error"
Message = "This system has no CPU error"
Message = "This system has memory issue"

How do i search in the above Events Message to count for DCOM, RPC, login ?

For example:
in the above example how should I get the results as below:
DCOM = 7
RPC = 6
login = 7
Total Message count = 25

Thanks for your time!

richgalloway · ‎05-22-2023

That changes things a bit. Since the messages don't fit a pattern, coming up with a regex to extract the word of interest is more challenging. With just a screenshot to work with, it's impossible to test possible solutions.

I can say, however, that the answer likely will use timechart instead of stats.

...
| timechart count by type

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎05-22-2023

That changes things a bit. Since the messages don't fit a pattern, coming up with a regex to extract the word of interest is more challenging. With just a screenshot to work with, it's impossible to test possible solutions.

I can say, however, that the answer likely will use timechart instead of stats.

...
| timechart count by type

---
If this reply helps you, Karma would be appreciated.

richgalloway · ‎05-22-2023

It would help to know what you've tried so far so we know not to suggest the same thing.

Perhaps this will get you started.

index=foo "This system has *"
| rex "This system has (?<type>.*?) error"
| eventstats count as total
| stats count, max(total) as total by type
| rename total as "Total Message count"

---
If this reply helps you, Karma would be appreciated.

splunkermm · ‎05-22-2023

Thanks richgalloway. for your time. but still i am not getting what i want. let me rephrase my question:

I have events for the period of time and i would like to get how many different messages including duplicates.

For example:

I have system events for the last 12 months. And these events have field name called Messages. Example of messages as below:

In the above list:

Message contains "logon failure" counts 7 times, "DCOM counts 2 times, "Group Policy failed" counts 2 times, "RPC" counts 2 times, "DomainController" counts 2 times, "DSS" counts 3 times.

How do I show the line graph, by top counts over time frame – X axis is time, Y axis is the count – with one line for each different messages.

Thanks for your time.

How do I search in the events message to count for DCOM, RPC, login?

kvstore

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!

Preparing your Splunk Environment for OpenSSL3