can some one suggest a query to send the unique errorcode count.
Example enter image description here 2006
in between the tags(in place of 2006) different codes are printed
i need to query to pull all the unique error codes
You can use the rex command to extract the desired values. It will look something like this:
your_initial_query
| rex field=_raw "<com:errorCode>(?<code>.*)<\/com:errorCode>"
| stats count by code
The second line tells rex to extract everything between the errorCode tags and save that to a field called code. You can then use the stats command to count the number of times a code is seen.
Related
I have 5 different searches I am doing in Splunk where I am getting the count of how many results from that search query.
I've had a look at this thread here:
https://answers.splunk.com/answers/757081/pie-chart-with-count-from-different-search-criteri.html
but its not quite working for me, I'm not 100% sure if its what I want.
My search queries all look something like this:
index=A variable="foo" message="Created*" | stats count
index=A variable="foo" message="Deleted*" | stats count
I ideally want to assign each query to a keyword - such as created, deleted, etc, then do a pie chart based on the counts.
The following should be sufficient.
index=A variable="foo" message="Created*" OR message="Deleted*" OR message="<repeat this for any other message types you want>" | stats count by message
If you can provide some more examples of the events you are trying to chart, there may be alternate approaches that can work for you.
This version will extract the key part of the message (Created, Deleted. etc...) into a field called mtype and you can then perform stats on that field.
index=A variable="foo" message="Created*" OR message="Deleted*" OR message="<repeat this for any other message types you want>" | rex field=message "(?<mtype>Created|Deleteted|...)" | stats count by mtype
I want to be able to extract multiple fields in splunk using rex, but I am only able to extract 3 fields, then it stops working. An example of this is:
rex field=_raw "(?<email>\w+);(?<OrderNumber>\w+);(?<shippingStreet>\w+)"
That expression above shows 3 new fields in splunk which is perfect! but as soon as I add one more field, it doesn't show anything at all. is there a limit of 3 fields with rex?
#Papaya2226
Have you tried max_match option of rex command?
use: max_match=0
https://docs.splunk.com/Documentation/Splunk/7.3.2/SearchReference/Rex#Usage
I want to print the value of a certain field from a set of events that results from running a particular search query. Here's my query:
index=abc "all events that contain this string" sourcetype=prd
Now, this returns certain events that contain a field called traceId. What I want is to extract unique traceIds from the result and print them. Here's the query that I am using currently, but to no avail:
index=abc "all events that contain this string" sourcetype=prd | rex field=_raw "traceId: (?<traceId>.*)"
This query prints all the fields in the event (events are printed as JSON docs.).
Can someone help me with this? I have never worked with Splunk before, so please go easy if the question looks a bit easy.
Thanks!
Answering this without some sample data is almost impossible... still, I think you are getting all data because:
you are not using the fields command to filter your fields of interest. It would go like so: `index=abc "all events that contain this string" sourcetype=prd | rex field=_raw "traceId: (?.*) | fields fiel1, field2, traceId"
your regular expression is greedy, which means traceId field will contain all text from that point to the end of the event. Try to be more specific i.e. \d+ for numeric data or even [^\s]+ for non-blanks.
~HTH
My log files log a bunch of messages in the same instance, so simply search for a message id followed by a count will not work (I will only count 1 per event when I want to count as many as 50 per event). I want to first narrow down my search to the events which show messages being sent ("enqueued"), and then count all instances of the string "mid".
Any ideas? I am very bad with splunk. How to I get all instances of "mid" to be a countable field?
index=* service=myservice "enqueued" "mid" | stats count mid
Your current search doesn't work because you (probably) don't have a field called 'mid'.
To search for strings within the event you can use rex. Try this.
index=* service=myservice "enqueued" "mid"
| rex max_match=0 "(?<mids>mid)"
| eval midCount=mvcount(mids)
| table midCount
BTW, "index=*" is a bad practice. It forces Splunk to search in every index, which really slows things down. After your first search you should know and use the real index name.
This might be a really simple question, but I haven't been able to find an answer as of yet. I have some raw data from some events that is for example "(duration 5555ms)" and I want to put that in a "| timechart span=1m count by duration" to create a chart that shows when these events took place and their total duration. There is currently no field set up for duration, it is just raw data. How would I get those numbers into my time chart?
You will first need to extract the value for duration into a field. You will most likely use the regex (rex) function for this.
The exact command you need will depend a lot on your data. But for your example "(duration 5555ms)", this should work assuming the value is always in ms.
| rex field=_raw "\(duration (?<duration>\d+)ms.*"