How do I write a search to combine information fro...

comatose_11 · ‎11-09-2015

I am splunk noob trying to write a search for a couple of hours, but not successful so far.
I want to count the number of times the command install was triggered and the exit code was 0
Each install command writes log in a new file with format 'install_timestamp' so I am searching for source="install*"

Using 2 source files as example:

source1:
event1:command=install
... //a couple of other events
event100:exit_code=0

source2:
event1:command=install -f
... //a couple of other events
event100:exit_code=0

In this case I want the result to be 1. Because there is only 1 occurrence of exit_code=0 when command was install (not -f)

The thing that's confusing me is that the information for command and exit_code is in different events. I can get each of the two events separately, but able to figure out how to get the combined result.

Any tips on how can I achieve the result I want? Thanks!

woodcock · ‎11-09-2015

Like this:

source=source1 OR source=source2 | reverse | streamstats current=t count(isnotnull(command)) AS sessionID BY host | stats values(*) AS * by host sessionID | where command="install" AND exit_code="0" | stats count AS numInstallWithExitCodeZero

Check out what happens if you get rid of the | where part; the stuff before that is where the magic happens.

How do I write a search to combine information from two events to get an accurate count?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life