Splunk Search

How to get total for line count then subtotal for another field in the same query?

jaj
Path Finder

Hi - Very new to splunk.

I have the following query that gives me total count for a specific log:

LOGGING string:
"log msg: stuff="

from this query I can get total by matching "log msg":

source=*/logs/stdout.log classname=Log "log msg" | stats count

However, I want to get that count as well the count for "stuff" where stuff=""

How can I modify the query above to get the total count for "log msg" and total count where stuff is empty string...(as a next ask possibly display in a stacked bar chart?) But raw data is fine for now.

Tags (3)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try following

source=*/logs/stdout.log classname=Log "log msg" | stats count , count(eval(stuff=""))

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Try following

source=*/logs/stdout.log classname=Log "log msg" | stats count , count(eval(stuff=""))

jaj
Path Finder

awesome, thanks!

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...