Group the events

ncbshiva · ‎06-13-2013

Hi

I have a log file , i want to search events for first occurrence of word "error" in that file, till the first occurrence of word "READY TO ACTIVATE".

I want to list all the events between first occurrence of "error" and first occurrence of "READY TO ACTIVATE".

Please help me ..........

kristian_kolb · ‎06-14-2013

Using transaction like Ayn suggests; you'll get multivalued fields. Assuming that you have a field called 'status' which in your case contains either 'error' or 'ok', you could do (after the transaction)

| eval err = mvfilter(match(status, "error")) |  eval err_count = mvcount(err)

If all the events in the transaction contains status=error, you could use the eventcount field that is created by the transaction. Perhaps subtract 1 from the eventcount, if the 'READY TO ACTIVATE' event does not contain 'error'.

Without sample events, it is a lot harder to give you good advice.

/K

ncbshiva · ‎07-02-2013

Hi kristian.kolb

I am not getting the count of word "error" correctly, If there are two "error" words in the log file , its giving the count as one only....

please help me....

Ayn · ‎06-14-2013

Use transaction.

... | transaction startswith="error" endswith="READY TO ACTIVATE"

ncbshiva · ‎06-14-2013

i have used the same, but i need to evaluate the count of "error" from line 1 till the first occurrence of "READY TO ACTIVATE"

Thanks in advance.......

ncbshiva · ‎06-13-2013

Hi

I have a log file , i want to evaluate count of errors from line 1 of the file till the first occurrence of "READY TO ACTIVATE" phrase.

Please help me ..........

Group the events

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes