Splunk Search

How to edit my search to find the counts for "heap dump" and "java core" fields by host?

harishnpandey
Explorer

trying to list Heapdump and javacore counts across multiple hosts

Splunk search

host=A OR host=B OR host=C OR host=D "JVM requested Java dump" |stats count as Java_Dump by host | appendcols [search host=A OR host=B OR host=C OR host=D]  "JVM requested Heap dump"|stats count as Heap_Dump by host

This one is not working for me ..Appreciate any suggestion to this

Also, I tried below one .. It return values for both Java dump and Heap dump but its giving wrong count and patterns

host=A OR host=B OR host=C OR host=D  |stats count(eval(searchmatch("JVM requested Java dump"))) as Java_Dump count(eval(searchmatch("JVM requested Heap dump"))) as Heap_Dump by host
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Your first search has syntax error (square bracket in wrong place). Correct search will be this

host=A OR host=B OR host=C OR host=D "JVM requested Java dump" |stats count as Java_Dump by host | appendcols [search host=A OR host=B OR host=C OR host=D  "JVM requested Heap dump"|stats count as Heap_Dump by host]

This version has several issues, like running search on same data twice, subsearch limitations may apply, and if one of the host doesn't have that string, the column ordering would be wrong. A better approach would be like this

host=A OR host=B OR host=C OR host=D ( "JVM requested Java dump" OR "JVM requested Heap dump") 
| eval Java_Dump=if(searchmatch( "JVM requested Java dump"),1,0)
| eval Heap_Dump=if(searchmatch( "JVM requested Heap dump"),1,0)
| stats sum(*_Dump) as *_Dump by host
0 Karma

harishnpandey
Explorer

Thank you very much. First query gives me now correct output. However .2nd one still

0 Karma

woodcock
Esteemed Legend

I am skeptiful in the extreme. The 2nd search is impeccable; it absolutely is correct. How are you determining otherwise?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...