Could anyone help me with the below Splunk query?
I want to get the count of records by message.type. The message.type can take value either 'typeA' or 'typeB'.
I tried the below query but it lists and doesn't give the count in the result. That is, separate count for typeA and typeB.
The messages are below.
message: name=app1,version=1, type=typeA,task=queryapp
message: name=app2,version=1, type=typeB,task=testapp
message: name=app1,version=1, type=typeB,task=issuefix
index=myapp message="name=app1"
| stats count by message.type
Ideally, you would modify the logs so that type is its own json field.
However, if you are stuck with with
{"message" : "name=app1,version=1, type=typeA,task=queryapp"}
Then I suggest the following solution:
index=myapp message=*
| rex field=message "type=(?<myType>[a-zA-Z]+)"
| stats count by myType
The rex command here is extracting a new splunk field named myType from the existing message field based on the supplied regular expression.
Related
In logs we have a value "device=xyz,1" here we need to consider "xyz,1" as a single value and display it in a table format. But now when we run a query it just displays device value as "xyz" and misses out ",1". how to consider it as a single value.
Query example: ....|eval device = if(isnull(device), "notFound", device) | table device
from above query
Expection:
Table should have column name as device and value should be "xyz,1"
What is actually happening:
Table has column name as device but value is "xyz"
I have tried mvjoin but it's not helping.
Please suggest a solution
You may need to custom-extract the value (until you can get the sourcetype's props.conf and transforms.conf updated).
Something like this should work:
<search>
| rex field=_raw "device=(<device>\S+)"
<rest of search>
I am new to the Splunk tool. I am trying to create a report by using a query. The data is not getting loaded under Statistics but I can see the logs under the Events. Is there somthing that I am missing in my below query:
index="cba_strat_risk" sourcetype IN ("kube:container:abc-service", "kube:container:xyz-service")
| stats count as count, count(eventtype="nix-all-logs") as success-count, count(eventtype="nix_errors") as error-count
| eval success_percentage=round(success-count/count*100,2)
| eval error_percentage=round(error-count/count*100,2)
| fields sourcetype eventtype success-count error-count success_percentage error_percentage
Also attaching the screenshot:
Please do let me know, if I am missing something.
The Statistics tab is loaded by stats commands (like stats, chart, and timechart), which you have in your query. The problem is the values shown are either null or zero.
First, avoid hyphens (a.k.a. minus signs) in field names. They only lead to parsing problems.
Second, the construct count(eventtype="nix-all-logs") won't work. To count the results of an expression, you must use eval, as in count(eval(eventtype="nix-all-logs")). However, in that case, count is not the function to use as it will return the number of ones and zeroes returned by eval. Instead, use sum(eval(eventtype="nix-all-logs")) to get the number of events meeting the eval criteria.
I was able to make it work:
index="cba_strat_risk" sourcetype IN ("kube:container:abc-service", "kube:container:xyz-portal", "kube:container:zzz-landing")
| stats count as total_count, count(eval(eventtype="nix-all-logs")) as success_count, count(eval(eventtype="nix_errors")) as error_count by sourcetype
| eval success_percentage=round(success_count/total_count*100,2)
| eval error_percentage=round(error_count/total_count*100,2)
| rename sourcetype as Service
| rename success_count as "Success Count"
| rename error_count as "Error Count"
| rename error_percentage as "Error Percentage"
| rename success_percentage as "Success Percentage"
| fields Service "Success Count" "Success Percentage" "Error Count" "Error Percentage"
In Splunk query I have two query like below
Query 1- index=mysearchstring1
Result - employid =123
Query 2- index=mysearchstring2
Here I want to use employid=123 in my query 2 to lookup and return final result.
Is it possible in Splunk?
It sounds like you're looking for a subsearch.
index=mysearchstring2 [ search index=mysearchstring1 | fields employid | format ]
Splunk will run the subsearch first and extract only the employid field. The results will be formatted into something like (employid=123 OR employid=456 OR ...) and that string will be appended to the main search before it runs.
I have a number of individual records in Splunk all with a common field of X, which i'm trying to combine.
E.g
User-name=JG, srcIP=10.0.0.1
User-name=JG,file=jg.docx
User-name=JG, dstIP=10.1.1.0
User-name=JG,Email=jg#jg.com
User-name=AB, srcIP=10.0.0.2
User-name=AB,file=AB.docx
User-name=AB, dstIP=10.2.2.0
User-name=AB,Email=AB#AB.com
I want to do the following search: Group all the records which match by the User-name fields, and allow me to manipulate the fields.
E.g
USERNAE, srcIP, file, dstIP, Email
JG, 10.0.0.1, jg.docx, 10.1.1.0, jg#jg.com
AB, 10.0.0.2, AB.docx, 10.2.2.0, AB#AB.com
Thank you!
You can check out the stats command to do this:
your search
| stats latest(srcIP) as srcIP, latest(file) as file, latest(dstIP) as dstIP, latest(email) as email by User-name
You can then perform any operations you want to on these fields. The latest function will give you the latest value seen for srcIP/file etc. for that user name.
I'm searching for a few different search terms, and I would like stats grouped by which term matched:
"PhraseA" "PhraseB" "PhraseC" | timechart count by <which Phrase matched>
What should be in place of <which Phrase matched>? I will be building a stacked bar chart with the results.
try creating a category field using eval and case, and using that in your chart:
index=whatever_index "PhraseA" "PhraseB" "PhraseC"
| eval matched_phrase=case(searchmatch("PhraseA"), "PhraseA", searchmatch("PhraseB"), "PhraseB", searchmatch("PhraseC"), "PhraseC")
| timechart count by matched_phrase
Lots more good info in the Splunk documentation for these functions