Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I edit my search to get a count by error text?

tkasim
New Member
‎01-11-2016 09:25 PM

Hi everyone,

I am trying to do the following in Splunk, but it's not working:

index=MRM eventtype=MRM_ERROR |
eval Description=case(
like(search, "%error1%"),"error1",
like(search, "%error2%"),"error2"
) | chart count by Description

Any ideas?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎01-11-2016 10:06 PM

Are you comparing it with the field ? I mean is search is your field name? If not, substitute search with your field name where error error2 keywords are present.
If you are getting an error or undesired output please mention that too
ie:

index=MRM eventtype=MRM_ERROR |eval Description=case(like(<field_name>, "%error1%"),"error1",like(<field_name>, "%error2%"),"error2") | chart count by Description
Happy Splunking!

View solution in original post

Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎01-11-2016 10:06 PM

Are you comparing it with the field ? I mean is search is your field name? If not, substitute search with your field name where error error2 keywords are present.
If you are getting an error or undesired output please mention that too
ie:

index=MRM eventtype=MRM_ERROR |eval Description=case(like(<field_name>, "%error1%"),"error1",like(<field_name>, "%error2%"),"error2") | chart count by Description
Happy Splunking!
Reply
Solved! Jump to solution

tkasim
New Member
‎01-11-2016 10:10 PM

Hi Renjith

the "search" keyword is not a field. I actually want to search the resultset for those errors...
I am not sure how to point to the resultset. I have zero experience with splunk so please excuse the novice question.

I also tried "rawtext" that too didn't work.

index=MRM eventtype=MRM_ERROR |
eval Description=case(
like(rawtext, "%error1%"),"error1",
like(rawtext, "%error2%"),"error2"
) | chart count by Description

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎01-12-2016 06:15 PM

Alright. For raw your should use _raw ie

 index=MRM eventtype=MRM_ERROR |eval Description=case(like(_raw, "%error1%"),"error1",like(_raw, "%error2%"),"error2") | chart count by Description

Ideally if the field is not available , you should extract the field using field extraction techniques in splunk

http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/ExtractfieldsinteractivelywithIFX
http://docs.splunk.com/Documentation/Splunk/6.1/Search/Extractfieldswithsearchcommands
http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/Createandmaintainsearch-timefieldextract...

Happy Splunking!
Reply
Solved! Jump to solution

tkasim
New Member
‎01-12-2016 08:24 PM

Thank you so much.

My plan is to turn the most frequent errors into fields. The above is a great starting point. Thanks for the links, just what I needed 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...