Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How get a total count based on the substring value?

Sureshp191
Explorer
‎06-13-2023 03:00 PM

Below is the splunk query,  (My.Message has many various types of messages but the below one is what I wanted)

index="myIndex" app_name="myappName"  My.Message = "*symbolName:*" 

When I run the above query, I get the below results:

myappstatus got Created, symbolName: AAPL ElapsedTime: 0.0002009

myappstatus got Ended, symbolName: GOOGL ElapsedTime: 0.0005339

myappstatus got Created, symbolName: AAPL ElapsedTime: 0.0005339

Please help on the following: 
1) How to get the Total count of the query (Visualization) only for My.Message = "*symbolName:*" 
2) How to split the string "myappstatus got Created, symbolName: AAPL ElapsedTime: 0.0002009" 
3) How to create a table for "symbolName", "Total Count", "ElapsedTime"

(for example, symbolName: AAPL, Total Count = 2 and ElapsedTime = 0.0007348 (0.0002009 + 0.0005339)

Thanks

Labels (2)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yeahnah
Motivator
‎06-13-2023 10:07 PM

Hi @Sureshp191 

OK, to dedup  results do it this way...

index="myIndex" app_name="myappName"  My.Message = "*symbolName:*" 
| rex "symbolName: (?<symbolName>\w+) ElapsedTime: (?<ElapsedTime>[^\s]+)"
| stats count AS "Total Count" sum(ElapsedTime) AS "Total ElapsedTime" BY symbolName

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

yeahnah
Motivator
‎06-13-2023 06:13 PM

Hi @Sureshp191 

Based on the example events provided, here's some demonstration run anywhere code showing a method to do what you want...

| makeresults
| eval raw="myappstatus got Created, symbolName: AAPL ElapsedTime: 0.0002009
myappstatus got Ended, symbolName: GOOGL ElapsedTime: 0.0005339
myappstatus got Created, symbolName: AAPL ElapsedTime: 0.0005339"
| eval raw=split(raw, "
")
| mvexpand raw
| rename raw AS _raw
  ``` the above is just creating dummy events to test the following SPL code with ```
| rex "symbolName: (?<symbolName>\w+) ElapsedTime: (?<ElapsedTime>[^\s]+)"
| eventstats count AS "Total Count" list(ElapsedTime) AS listElapsedTime sum(ElapsedTime) AS "Total ElapsedTime" BY symbolName
| table symbolName "Total Count" "Total ElapsedTime"

 Hope that helps

0 Karma
Reply
Solved! Jump to solution

Sureshp191
Explorer
‎06-13-2023 09:22 PM

Thanks, I got the output but symbolName AAPL is duplicatedSnag_682940b.png

0 Karma
Reply
Solved! Jump to solution
Solution

yeahnah
Motivator
‎06-13-2023 10:07 PM

Hi @Sureshp191 

OK, to dedup  results do it this way...

index="myIndex" app_name="myappName"  My.Message = "*symbolName:*" 
| rex "symbolName: (?<symbolName>\w+) ElapsedTime: (?<ElapsedTime>[^\s]+)"
| stats count AS "Total Count" sum(ElapsedTime) AS "Total ElapsedTime" BY symbolName

 

0 Karma
Reply
Get Updates on the Splunk Community!

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...