Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

index = aws_ubs_n | search log IN ("*error*","*info*","*warn*") | stats count as log

surens
Explorer
‎09-07-2022 12:04 AM

How to count each log value separately?

("*error*","*info*","*warn*")

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-07-2022 12:36 AM

Hi @surens ,

ok, please try this:

index = aws_ubs_n log IN ("*error*","*info*","*warn*") 
| eval kind=case(like(log,"%error%"),"error",like(log,"%info%"),"info",like(log,"%warn%"),"warn")
| stats count AS Log_count BY kind

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

surens
Explorer
‎09-07-2022 12:53 AM

Thanks It's working fine

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-07-2022 12:11 AM

Hi @surens,

did you tried:

index = aws_ubs_n log IN ("*error*","*info*","*warn*") 
| stats count BY log

For more infos see at https://docs.splunk.com/Documentation/Splunk/9.0.1/SearchReference/Stats

Don't use the search command after the main search, it's a best practice to put search conditions as left as possible to have faster searches.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

surens
Explorer
‎09-07-2022 12:30 AM

I want know each log count 

like 

error log    23456

info             873267

 how ?

 

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-07-2022 12:36 AM

Hi @surens ,

ok, please try this:

index = aws_ubs_n log IN ("*error*","*info*","*warn*") 
| eval kind=case(like(log,"%error%"),"error",like(log,"%info%"),"info",like(log,"%warn%"),"warn")
| stats count AS Log_count BY kind

Ciao.

Giuseppe

Reply
Solved! Jump to solution

surens
Explorer
‎09-07-2022 01:02 AM

Now how to get this option in multiselect splunk dashboard ?

 

Field For Label?
log
Field For Value?
what would enter this place ?
Tags (1)
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-07-2022 01:21 AM

Hi @surens,

in a multiselect input, you could use a search like this:

index = aws_ubs_n log IN ("*error*","*info*","*warn*") 
| eval kind=case(like(log,"%error%"),"error",like(log,"%info%"),"info",like(log,"%warn%"),"warn")
| dedup kind
| sort kind
| table kind

and use the kind value both for label and value.

Or use fixed values.

Ciao.

Giuseppe

P.S.: Karma Points are appreciated 😉

Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...