Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

index = aws_ubs_n | search log IN ("*error*","*info*","*warn*") | stats count as log

surens
Explorer
‎09-07-2022 12:04 AM

How to count each log value separately?

("*error*","*info*","*warn*")

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-07-2022 12:36 AM

Hi @surens ,

ok, please try this:

index = aws_ubs_n log IN ("*error*","*info*","*warn*") 
| eval kind=case(like(log,"%error%"),"error",like(log,"%info%"),"info",like(log,"%warn%"),"warn")
| stats count AS Log_count BY kind

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

surens
Explorer
‎09-07-2022 12:53 AM

Thanks It's working fine

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-07-2022 12:11 AM

Hi @surens,

did you tried:

index = aws_ubs_n log IN ("*error*","*info*","*warn*") 
| stats count BY log

For more infos see at https://docs.splunk.com/Documentation/Splunk/9.0.1/SearchReference/Stats

Don't use the search command after the main search, it's a best practice to put search conditions as left as possible to have faster searches.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

surens
Explorer
‎09-07-2022 12:30 AM

I want know each log count 

like 

error log    23456

info             873267

 how ?

 

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-07-2022 12:36 AM

Hi @surens ,

ok, please try this:

index = aws_ubs_n log IN ("*error*","*info*","*warn*") 
| eval kind=case(like(log,"%error%"),"error",like(log,"%info%"),"info",like(log,"%warn%"),"warn")
| stats count AS Log_count BY kind

Ciao.

Giuseppe

Reply
Solved! Jump to solution

surens
Explorer
‎09-07-2022 01:02 AM

Now how to get this option in multiselect splunk dashboard ?

 

Field For Label?
log
Field For Value?
what would enter this place ?
Tags (1)
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-07-2022 01:21 AM

Hi @surens,

in a multiselect input, you could use a search like this:

index = aws_ubs_n log IN ("*error*","*info*","*warn*") 
| eval kind=case(like(log,"%error%"),"error",like(log,"%info%"),"info",like(log,"%warn%"),"warn")
| dedup kind
| sort kind
| table kind

and use the kind value both for label and value.

Or use fixed values.

Ciao.

Giuseppe

P.S.: Karma Points are appreciated 😉

Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...