How to get the stats of multiple search string

ibob0304 · ‎12-18-2019

I am trying to get the stats for the search keywords. My query will list the errors by time but it wont tell me how many errors came for each search string.

index=main source=*event* | search "NETWORK error" OR "OPS error" OR "NETSTAT ERROR" | bucket span=5m _time | stats count by _time

woodcock · ‎12-18-2019

Like this:

index=main source=*event* AND ("NETWORK error" OR "OPS error" OR "NETSTAT ERROR")
| timechart span=5m count AS total count(eval(searchmatch("NETWORK error")) AS network_error count(eval(searchmatch("OPS error")) AS ops_error count(eval(searchmatch("NETSTAT error")) AS netstat_error

aberkow · ‎12-18-2019

index=main source=*event* ("NETWORK error" OR "OPS error" OR "NETSTAT ERROR")
| eval searchString = case(like(_raw, "%NETWORK error%"), "Network Error", like(_raw, "%OPS error%"), "Ops Error",  like(_raw, "%NETSTAT error%"), "Netstat Error", 1==1, "Incorrect searchString match, please refactor")
| stats count by searchString

I just assumed you were using the _raw field for your search and moved it up into the main search, but the general idea is you want to use a field with a string match - either like, equals, match, etc (check out some options here https://docs.splunk.com/Documentation/Splunk/8.0.0/SearchReference/ConditionalFunctions#like.28TEXT....) to create a field you can stats count by. You could do this in a bunch of other ways too, but I think this is the cleanest one.

Hope this helps!

How to get the stats of multiple search string

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio