Splunk Search

Count number of events before Debup

vkakani60
Path Finder

Is there any way to save the count of the events before doing the dedup ?

This is my query

index="webapplication_logs" sourcetype="error_log" | rex field=_raw "Severity:\s (?<Severity>.+)" | search Severity = Error 

This query lists all my Severity=Error events (i.e, total:3 events in the last 10minutes custom timeframe)

  ....................
 Date: [07/Mar/2004:16:04:49 -0800] 
 IP: ipaddress
 Method: "GET /topicparent=Main.ConfigurationVariables HTTP/1.1"
 Response: 401
 Type: Info
 Severity: Error
 ....................

 ....................
 Date: [07/Mar/2004:16:05:49 -0800] 
 IP: ipaddress
 Method: "GET /topicparent=Main.ConfigurationVariables HTTP/1.1"
 Response: 401
 Type: Info
 Severity: Error
 ....................

 ....................
 Date: [07/Mar/2004:16:07:49 -0800] 
 IP: ipaddress
 Method: "GET /topicparent=Main.ConfigurationVariables HTTP/1.1"
 Response: 401
 Type: Info
 Severity: Error
 ....................

Now I used Dedup to show only one result in the last 10minutes timeframe.

index="webapplication_logs" sourcetype="error_log" | rex field=_raw "Severity:\s (?<Severity>.+)" | search Severity = Error |  dedup Severity

 OUTPUT
  ....................
  Date: [07/Mar/2004:16:07:49 -0800] 
  IP: ipaddress
  Method: "GET /topicparent=Main.ConfigurationVariables HTTP/1.1"
  Response: 401
  Type: Info
  Severity: Error
  ....................

But I want to show the total error events count (i.e 3 events) in the output or either count saved in the field.
I have tried the eval command to save the count, but field value count shows 1 after using dedup (skipped this method).

| eval tcount = mvcount(Severity)

Then I have used stats command which counts the events but doesn't show the raw event.

 | stats count by Severity 

alt text

I have included the _raw with the stats command but COUNT didn't work may because the _raw event timestamp is different.

 | stats count by Severity, _raw

 OUTPUT
Severity      Count         _raw  
Error            1            event
Error            1            event
Error            1            event

But how to show the count of the events as well as the 1 similar error event ?.

 DESIRED OUTPUT
Severity      Count         _raw  
Error            3            event

OR any other methods to save the events count before dedup ?

0 Karma

woodcock
Esteemed Legend

Several working answers have been given; you should pick the best one and click "Accept" to close the question.

0 Karma

woodcock
Esteemed Legend

You can do this with eventstats like this:

Your first search | eventstats count AS b4dedup | dedup Some Fields Here | eventstats count as afterdedup | extra_events = b4dedup - afterdedup

Runals
Motivator

So I would do something like this. Hopefully you and/or your Splunk admin can eventually bake in the field extractions. To me what would be interesting is the number of errors per Method (url/resource really) and how many unique IPs tried to access whatever it was. Given the sourcetype name is there anything other than 'error' Severity logs? If not or you are specifically interested in those I'd search on that before the first pipe /shrug. You could put all of your field extractions in one rex but for visual parsing I'll break them up as well. On the Method line extraction you will likely need a total of 3 backslashes. I'm not using the method field but you might as well extract it at some point.

index="webapplication_logs" sourcetype="error_log" "severity: error" | rex "Severity:\s (?<Severity>.+)" | rex "IP: (?<src_ip>\S+)" | rex "Method: \"(?<method>\S+)\s(?<url>\S+)"  | stats dc(src_ip) as IPs count as totalEvents by Severity url

Or if you want to get a breakdown of counts per IP / url something like

index="webapplication_logs" sourcetype="error_log" "severity: error" | rex "Severity:\s (?<Severity>.+)" | rex "IP: (?<src_ip>\S+)" | rex "Method: \"(?<method>\S+)\s(?<url>\S+)" | stats count by Severity url src_ip | sort -count | stats sum(count) as totalEvents list(src_ip) as IPs list(count) as attempts by Severity url
0 Karma

sundareshr
Legend

Something like this should work

 index="webapplication_logs" sourcetype="error_log" | rex field=_raw "Severity:\s (?<Severity>.+)" | search Severity = Error | stats count as totalCount values(_raw) as _raw by Severity

*OR*

 index="webapplication_logs" sourcetype="error_log" | rex field=_raw "Severity:\s (?<Severity>.+)" | search Severity = Error | stats count as totalCount latest(_raw) as _raw by Severity
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...