Group the events

ncbshiva · ‎06-13-2013

Hi

I have a log file , i want to search events for first occurrence of word "error" in that file, till the first occurrence of word "READY TO ACTIVATE".

I want to list all the events between first occurrence of "error" and first occurrence of "READY TO ACTIVATE".

Please help me ..........

kristian_kolb · ‎06-14-2013

Using transaction like Ayn suggests; you'll get multivalued fields. Assuming that you have a field called 'status' which in your case contains either 'error' or 'ok', you could do (after the transaction)

| eval err = mvfilter(match(status, "error")) |  eval err_count = mvcount(err)

If all the events in the transaction contains status=error, you could use the eventcount field that is created by the transaction. Perhaps subtract 1 from the eventcount, if the 'READY TO ACTIVATE' event does not contain 'error'.

Without sample events, it is a lot harder to give you good advice.

/K

ncbshiva · ‎07-02-2013

Hi kristian.kolb

I am not getting the count of word "error" correctly, If there are two "error" words in the log file , its giving the count as one only....

please help me....

Ayn · ‎06-14-2013

Use transaction.

... | transaction startswith="error" endswith="READY TO ACTIVATE"

ncbshiva · ‎06-14-2013

i have used the same, but i need to evaluate the count of "error" from line 1 till the first occurrence of "READY TO ACTIVATE"

Thanks in advance.......

ncbshiva · ‎06-13-2013

Hi

I have a log file , i want to evaluate count of errors from line 1 of the file till the first occurrence of "READY TO ACTIVATE" phrase.

Please help me ..........

Group the events

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?