trying to find if there is an suggestion to captur...

Deepz2612 · ‎03-14-2019

Hi Team,

I would like to know if there is any way to extract/find only the values that is present in more than one event with different values associated.
To explain further on the scenario,below are the logs.

 msg:    for-service - [2019-03-15T06:01:05.554+0000] "GET /api/for*&byr=**12355**" 404

Please help!!
Thanks in advance!

sandeepmakkena · ‎10-25-2019

|rex "vin\=(?P<vin>[^\"]+)\"\s(?P<status>\d+)"
| stats dc(status) as StatusDC, values(status)  by vin 
| where StatusDC>1 
| table vin

I think this should help.
You can see dc(status), values of all the Status by vin by removing, where and table part to test.
Thanks!

woodcock · ‎10-25-2019

Like this:

... | rex "vin\=(?P<vin>[^\"]+)\"\s(?P<status>\d+)"
| stats dc(status) AS status_count values(status) BY vin
| search status_count > 1

nickhills · ‎03-15-2019

Hi @Deepz2612
Try adding this to the end of your search.

|rex "vin\=(?P<vin>[^\"]+)\"\s(?P<status>\d+)"|stats dc(vin) by vin, status

If my comment helps, please give it a thumbs up!

Deepz2612 · ‎03-15-2019

Hi nick,
Thanks!
But my requirement is to list "only" the vins which occurs more than once in logs but with different response code.

nickhills · ‎03-15-2019

Ah, so flip the dc, and use eventstats.
|rex "vin\=(?P<vin>[^\"]+)\"\s(?P<status>\d+)"|eventstats dc(status) by vin as status_count|where status_count>1|table _time vin status
(untested - typed on a phone)

If my comment helps, please give it a thumbs up!

trying to find if there is an suggestion to capture only the values that occurs in more than one event with a different value

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms