How do I write a search to combine information fro...

comatose_11 · ‎11-09-2015

I am splunk noob trying to write a search for a couple of hours, but not successful so far.
I want to count the number of times the command install was triggered and the exit code was 0
Each install command writes log in a new file with format 'install_timestamp' so I am searching for source="install*"

Using 2 source files as example:

source1:
event1:command=install
... //a couple of other events
event100:exit_code=0

source2:
event1:command=install -f
... //a couple of other events
event100:exit_code=0

In this case I want the result to be 1. Because there is only 1 occurrence of exit_code=0 when command was install (not -f)

The thing that's confusing me is that the information for command and exit_code is in different events. I can get each of the two events separately, but able to figure out how to get the combined result.

Any tips on how can I achieve the result I want? Thanks!

woodcock · ‎11-09-2015

Like this:

source=source1 OR source=source2 | reverse | streamstats current=t count(isnotnull(command)) AS sessionID BY host | stats values(*) AS * by host sessionID | where command="install" AND exit_code="0" | stats count AS numInstallWithExitCodeZero

Check out what happens if you get rid of the | where part; the stuff before that is where the magic happens.

How do I write a search to combine information from two events to get an accurate count?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms