Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my search to find old vs new errors with counts?

akasio1972
New Member
‎11-08-2015 09:16 PM

Folks

I am new in splunk so pardon the basic question here. I am trying to find in my application what are the new errors over the past 24 hours that we never encountered in the past week. Here is my current search:

CASE(ERROR) earliest=-24h@h latest=now  | stats count as errsToday by class source linecount | sort by class source linecount | appendcols [ search CASE(ERROR)  earliest=-8d@d latest=-24h@h | stats count as errsLastWeek by class source linecount| sort by class source linecount ] | eval errsLastWeek=if(isnull(errsLastWeek),0,errsLastWeek) | eval errsToday=if(isnull(errsToday),0,errsToday) | table errsLastWeek errsToday class source linecount

My question is if anyone has comments on the above search and assuming it is correct, I have the following problem. In the results I get lines as follows:

errsLastWeek    errsToday    class     source      linecount
3               4            Foo       foo.txt     5
5               0            Foo       foo.txt     5

I would like to process further so I get:

errsLastWeek    errsToday    class     source      linecount
8               4            Foo       foo.txt     5

thanks in advance for the advice
-a

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

HeinzWaescher
Motivator
‎11-09-2015 01:36 AM

What field identifies whether the event is an error? You should start your search like this:
sourcetype=foo fieldname=ERROR

If you need class, source and linecount info I would do it like this:

Set the timerangepicker to earliest=-7d@d latest=now

sourcetype=foo fieldname=ERROR
| eval today=relative_time(now(),"@d")
| stats count(eval(if(_time<today, _time, null()))) AS errors_last_week,
        count(eval(if(_time>=today, _time, null()))) AS errors_today BY class, source, linecount
| eval new_error=if(errors_last_week=0, "true", "false")

View solution in original post

Reply
Solved! Jump to solution
Solution

HeinzWaescher
Motivator
‎11-09-2015 01:36 AM

What field identifies whether the event is an error? You should start your search like this:
sourcetype=foo fieldname=ERROR

If you need class, source and linecount info I would do it like this:

Set the timerangepicker to earliest=-7d@d latest=now

sourcetype=foo fieldname=ERROR
| eval today=relative_time(now(),"@d")
| stats count(eval(if(_time<today, _time, null()))) AS errors_last_week,
        count(eval(if(_time>=today, _time, null()))) AS errors_today BY class, source, linecount
| eval new_error=if(errors_last_week=0, "true", "false")
Reply
Solved! Jump to solution

akasio1972
New Member
‎11-09-2015 06:58 AM

Thanks man! I appreciate it. Worked great

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...