I am splunk noob trying to write a search for a couple of hours, but not successful so far.
I want to count the number of times the command install
was triggered and the exit code was 0
Each install command writes log in a new file with format 'install_timestamp' so I am searching for source="install*"
Using 2 source files as example:
source1:
event1:command=install
... //a couple of other events
event100:exit_code=0
source2:
event1:command=install -f
... //a couple of other events
event100:exit_code=0
In this case I want the result to be 1. Because there is only 1 occurrence of exit_code=0
when command was install
(not -f)
The thing that's confusing me is that the information for command and exit_code is in different events. I can get each of the two events separately, but able to figure out how to get the combined result.
Any tips on how can I achieve the result I want? Thanks!
Like this:
source=source1 OR source=source2 | reverse | streamstats current=t count(isnotnull(command)) AS sessionID BY host | stats values(*) AS * by host sessionID | where command="install" AND exit_code="0" | stats count AS numInstallWithExitCodeZero
Check out what happens if you get rid of the | where
part; the stuff before that is where the magic happens.