Splunk Search

How to edit my search to find old vs new errors with counts?

akasio1972
New Member

Folks

I am new in splunk so pardon the basic question here. I am trying to find in my application what are the new errors over the past 24 hours that we never encountered in the past week. Here is my current search:

CASE(ERROR) earliest=-24h@h latest=now  | stats count as errsToday by class source linecount | sort by class source linecount | appendcols [ search CASE(ERROR)  earliest=-8d@d latest=-24h@h | stats count as errsLastWeek by class source linecount| sort by class source linecount ] | eval errsLastWeek=if(isnull(errsLastWeek),0,errsLastWeek) | eval errsToday=if(isnull(errsToday),0,errsToday) | table errsLastWeek errsToday class source linecount

My question is if anyone has comments on the above search and assuming it is correct, I have the following problem. In the results I get lines as follows:

errsLastWeek    errsToday    class     source      linecount
3               4            Foo       foo.txt     5
5               0            Foo       foo.txt     5

I would like to process further so I get:

errsLastWeek    errsToday    class     source      linecount
8               4            Foo       foo.txt     5

thanks in advance for the advice
-a

0 Karma
1 Solution

HeinzWaescher
Motivator

What field identifies whether the event is an error? You should start your search like this:
sourcetype=foo fieldname=ERROR

If you need class, source and linecount info I would do it like this:

Set the timerangepicker to earliest=-7d@d latest=now

sourcetype=foo fieldname=ERROR
| eval today=relative_time(now(),"@d")
| stats count(eval(if(_time<today, _time, null()))) AS errors_last_week,
        count(eval(if(_time>=today, _time, null()))) AS errors_today BY class, source, linecount
| eval new_error=if(errors_last_week=0, "true", "false")

View solution in original post

HeinzWaescher
Motivator

What field identifies whether the event is an error? You should start your search like this:
sourcetype=foo fieldname=ERROR

If you need class, source and linecount info I would do it like this:

Set the timerangepicker to earliest=-7d@d latest=now

sourcetype=foo fieldname=ERROR
| eval today=relative_time(now(),"@d")
| stats count(eval(if(_time<today, _time, null()))) AS errors_last_week,
        count(eval(if(_time>=today, _time, null()))) AS errors_today BY class, source, linecount
| eval new_error=if(errors_last_week=0, "true", "false")

akasio1972
New Member

Thanks man! I appreciate it. Worked great

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...