How to make whole Statement as a field?

jw44250 · ‎05-01-2017

I have a search base like below and want to put the count as 1.

index=index1 test machine is not responding java.lang.NullPointerException as "test" | stats  count by test | dedup test

My count is 0

somesoni2 · ‎05-01-2017

The stats commands works upon the fields. Assuming whatever string you've on base search you want to show count of it, Try one of following methods.

index=index1 test machine is not responding java.lang.NullPointerException | stats count  | eval test="test machine is not responding java.lang.NullPointerException " | table test count

OR

 index=index1 test machine is not responding java.lang.NullPointerException | rex "(?<test>test machine is not responding java.lang.NullPointerException)"  | stats count by test

jw44250 · ‎05-01-2017

Thanks. let me try it.

can i do soemthing like this, it works but not gettign any result
index=index1 test machine is not responding java.lang.NullPointerException as "testmachine" | stats count by testmachine

somesoni2 · ‎05-01-2017

No you can't. YOu can't assign a field name to a string. You would need to have it extracted (like option 2) before you could use it.

How to make whole Statement as a field?

Index This | Forward, I’m heavy; backward, I’m not. What am I?

A Guide To Cloud Migration Success

Join Us for Splunk University and Get Your Bootcamp Game On!