- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Logging number of events based on log file
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Logging number of events based on log file
Hi,
My log snippet is shown below:
[2012-09-01 11:02:27:405 GMT+00:00][Timer-1][com.abc.myprog] INFO email sent to agaur12@hotmail.com (firstName: null, lastName: null, language: eng, expiryDate: 2012-09-02 08:12:16.0)
[2012-09-01 11:02:32:544 GMT+00:00][Timer-1][com.abc.myprog] INFO email sent to testmyyyynp@test.com (firstName: null, lastName: null, language: eng, expiryDate: 2012-09-02 03:29:42.0)
[2012-09-02 11:02:37:679 GMT+00:00][Timer-1][com.abc.myprog] INFO email sent to auuuu@abcd.com (firstName: jaber, lastName: kapo, language: eng, expiryDate: 2012-09-02 10:50:46.0)
[2012-09-03 11:02:42:806 GMT+00:00][Timer-1][com.abc.myprog] INFO email sent to test_123iopm@test.com (firstName: null, lastName: null, language: eng, expiryDate: 2012-09-02 21:39:43.0)
[2012-09-03 11:02:27:405 GMT+00:00][Timer-1][com.abc.myprog] INFO email sent to ggg@test.com (firstName: null, lastName: null, language: eng, expiryDate: 2012-09-02 08:12:16.0)
[2012-09-03 11:02:22:400 GMT+00:00][Timer-1][com.abc.myprog] INFO email sent to nfmd@yahoo.com (firstName: null, lastName: null, language: eng, expiryDate: 2012-09-02 08:12:16.0)
[2012-09-05 11:02:32:544 GMT+00:00][Timer-1][com.abc.myprog] INFO email sent to testmnp@test.com (firstName: null, lastName: null, language: eng, expiryDate: 2012-09-02 03:29:42.0)
[2012-09-05 11:02:37:679 GMT+00:00][Timer-1][com.abc.myprog] INFO email sent to nnjj@abc.com (firstName: jack, lastName: dorson, language: eng, expiryDate: 2012-09-02 10:50:46.0)
Query should return data on how many emails were sent on a particular day i.e. if I want to know how many emails were sent on 2012-09-04, it should return 0 records.
Query should print the data in below format mentioning the number of emails sent for all the days in the log:
Date No of Emails Sent 2012-09-01 2 2012-09-02 1 2012-09-03 3 2012-09-04 0 2012-09-05 2
I'll appreciate if some one can provide answers to the above 2 questions.
Thanks in Advance!!
UPDATE: The log has other entries as well. I've provided only snippet.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So for the first one, you simply need to do:
sourcetype=FOO | stats count
and restrict the time range to a single day.
For the second, you can use:
sourcetype=FOO | timechart span=1d count
Which will make sure you get the zero values on days with no events. You can rename columns using
count as "No of emails"
or something similar.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
then you would need to filter down to just the 'email sent to' events before the pipe to stats/timechart using something like:
sourcetype=FOO "email sent to" | ...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The log does not have just "email sent to" lines....it has all other info as well which I've not printed here
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
perhaps you can look at the timechart search command.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
