Splunk Search

Logging number of events based on log file

freephoneid
Path Finder

Hi,

My log snippet is shown below:

[2012-09-01 11:02:27:405 GMT+00:00][Timer-1][com.abc.myprog] INFO email sent to agaur12@hotmail.com (firstName: null, lastName: null, language: eng, expiryDate: 2012-09-02 08:12:16.0)
[2012-09-01 11:02:32:544 GMT+00:00][Timer-1][com.abc.myprog] INFO email sent to testmyyyynp@test.com (firstName: null, lastName: null, language: eng, expiryDate: 2012-09-02 03:29:42.0)
[2012-09-02 11:02:37:679 GMT+00:00][Timer-1][com.abc.myprog] INFO email sent to auuuu@abcd.com (firstName: jaber, lastName: kapo, language: eng, expiryDate: 2012-09-02 10:50:46.0)
[2012-09-03 11:02:42:806 GMT+00:00][Timer-1][com.abc.myprog] INFO email sent to test_123iopm@test.com (firstName: null, lastName: null, language: eng, expiryDate: 2012-09-02 21:39:43.0)
[2012-09-03 11:02:27:405 GMT+00:00][Timer-1][com.abc.myprog] INFO email sent to ggg@test.com (firstName: null, lastName: null, language: eng, expiryDate: 2012-09-02 08:12:16.0)
[2012-09-03 11:02:22:400 GMT+00:00][Timer-1][com.abc.myprog] INFO email sent to nfmd@yahoo.com (firstName: null, lastName: null, language: eng, expiryDate: 2012-09-02 08:12:16.0)
[2012-09-05 11:02:32:544 GMT+00:00][Timer-1][com.abc.myprog] INFO email sent to testmnp@test.com (firstName: null, lastName: null, language: eng, expiryDate: 2012-09-02 03:29:42.0)
[2012-09-05 11:02:37:679 GMT+00:00][Timer-1][com.abc.myprog] INFO email sent to nnjj@abc.com (firstName: jack, lastName: dorson, language: eng, expiryDate: 2012-09-02 10:50:46.0)
  1. Query should return data on how many emails were sent on a particular day i.e. if I want to know how many emails were sent on 2012-09-04, it should return 0 records.

  2. Query should print the data in below format mentioning the number of emails sent for all the days in the log:

    Date        No of Emails Sent
    2012-09-01  2
    2012-09-02  1
    2012-09-03  3
    2012-09-04  0
    2012-09-05  2
    

I'll appreciate if some one can provide answers to the above 2 questions.

Thanks in Advance!!

UPDATE: The log has other entries as well. I've provided only snippet.

Tags (3)
0 Karma

emiller42
Motivator

So for the first one, you simply need to do:

sourcetype=FOO | stats count

and restrict the time range to a single day.

For the second, you can use:

sourcetype=FOO | timechart span=1d count

Which will make sure you get the zero values on days with no events. You can rename columns using

count as "No of emails" 

or something similar.

emiller42
Motivator

then you would need to filter down to just the 'email sent to' events before the pipe to stats/timechart using something like:

sourcetype=FOO "email sent to" | ...

0 Karma

freephoneid
Path Finder

The log does not have just "email sent to" lines....it has all other info as well which I've not printed here

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

perhaps you can look at the timechart search command.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...