Hi! I'm pretty new to splunk and i'm trying to figure out how to:
1. Search for 2 different strings (dealswidget OR hotelquerywidget)
2. then total the occurences of the 2 strings
3. print the result for each of the strings
Can anyone help please?
The lines in the logs appear as:
10.186.198.6 - - [29/Jul/2011:00:03:08 -0500] "GET /js/lib/jquery-1.5.js HTTP/1.0" 200 211978 "http://partners.hotels.com/hotelquerywidget/1/1/HCOM_ES-es_ES/hotelquerywidget.html" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30" "5DC1789408E34ECF1A8F25E521617E9D.ut03hap01"
10.186.198.6 - - [29/Jul/2011:00:09:04 -0500] "GET /styles/widget/hcom.external.common.css HTTP/1.1" 200 4255 "http://partners.hotels.com/dealswidget/1/2/1633826/HCOM_NO-no_NO/widget.html" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30" "3EDEC4AAE25F8C92260C2132409F54BC.ut03hap01"
Joetron's solution works - many thanks.
It displays a count of the 2 strings i searched for. But how do i include the actual log lines in the results?
add values(_raw)
in your stats command, like: "| stats count,values(_raw) by yourextractedfield
"
A quick and dirty way is:
"dealswidget" OR "hotelquerywidget"
| rex "(?<myword>dealswidget|hotelquerywidget)"
| stats count by myword
Although you don't specify how to count if both words appear in an event, or if one word appears more than once.
I would first setup some type of field extraction for the webpage you are looking to report on. Then just run your search as follows
index=myindex yourextractedfield=dealswidget OR yourextractedfield=hotelquerywidget | stats count by yourextractedfield