Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Displaying 2 counts (error and total)

shashankjuloori
New Member
‎03-24-2020 10:27 AM

There is a requirement in which i need to display total count and errors(in total count). error message is in raw text.

Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-25-2020 05:48 AM

Vague questions beget vague answers. @woodcock has the general idea. We must leave it to you to figure out how to extract the error text from each message since we don't have enough information about the structure of the messages.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

woodcock
Esteemed Legend
‎03-24-2020 04:30 PM

Like this:

... | rex to create error_text
| stats dc(error_text) AS "error count" count AS "total count" by foundation
| eventstats sum('total count') AS "grand total count"
0 Karma
Reply

darrenfuller
Contributor
‎03-24-2020 11:30 AM

Hi shashankjuloori.

Not a lot to go on here. is the error message extracted in a field or only in _raw? Can you share an event or two of sample data to help out a bit|?

./d

0 Karma
Reply

shashankjuloori
New Member
‎03-24-2020 11:44 AM

error message has to be extracted from raw text. Then i need to display total events count and error events count.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-24-2020 12:09 PM

Still not enough to work with. Please provide some sample events (mask private data) and desired output.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

shashankjuloori
New Member
‎03-24-2020 12:21 PM

field1= || field2= || field3= || message------------error text ----------/message
this is the error message structure.

here i need to separate the events which contains error text, suppose it to be errors and display both total count and error count.

0 Karma
Reply

to4kawa
Ultra Champion
‎03-24-2020 02:24 PM

we can extract error text and message
but, isn't these actual logs?

0 Karma
Reply

shashankjuloori
New Member
‎03-25-2020 03:39 AM

Sorry, i cant paste the logs due to security reasons.
Events are logged based on the field foundation, suppose A, B, C.
and logs will be like

index=* Foundation=A | field1 | field2| ...message......errortest.../message
index=* Foundation=A | field1 | field2| ...message......errortest.../message
index=* Foundation=B | field1 | field2| ...message......errortest.../message
index=* Foundation=C | field1 | field2| ...message......errortest.../message

here i need to segregate the events based on the error text and total count, and the output should be like

Foundation        |  error count   | total count
   A            count             count
   B            count             count
   C            count            count

and i am sorry for messing up the things.

0 Karma
Reply

woodcock
Esteemed Legend
‎03-25-2020 07:14 AM

I updated my vague answer.

0 Karma
Reply

shashankjuloori
New Member
‎03-25-2020 07:16 AM

Thanks for the help.

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...