Re: How can I refine this search string to grab th...

belamg · ‎08-02-2019

How can I refine this search string to grab those for the whole year and add other Splunk commands to break them into common ‘buckets’ with counts for each type of error without duplicate error types?

sourcetype=was_prod source="*/srs/Automation" "error"

DavidHourani · ‎08-04-2019

Hi @belamg,

First to search over one year make sure your time picker is set to one year or if you wish to have the filters in your search then use the following :

earliest=-1y latest=now()

Then, to get your count per error type your search becomes like this :

sourcetype=was_prod source="*/srs/Automation" "error"   earliest=-1y latest=now() 
| stats count by errorType

Make sure the error types are extracted in a field called errorType so you can run the stats command.

Cheers,
David

Sukisen1981 · ‎08-03-2019

hi @belamg - This is a rather vague question.
When you add a string like "error" to your search, by default it will pick up all occurrences of the string 'error' if they are present in your _raw events.
can you give an example of your raw events with error and what is your expected output?

How can I refine this search string to grab those for the whole year and add other Splunk commands to break them into common ‘buckets’ with counts for each type of error without duplicate error types?

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...