AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
Splunk eval to count instances12/2/2023 ![]() The first line is just to build an event which contains your data, the rex and the stats will do the work. Is there a way to get the date out of time (I tried to build a rex, but it didnt work. I know the date and time is stored in time, but I dont want to Count By time, because I only care about the date, not the time. Tue 04:47:18,515 EDT DEBUG - Method invoked with parameters : " I have a search created, and want to get a count of the events returned by date. I have use case to use the ML feature to detect the anamoly in comm sent from each ID. Is this possible to do, and is there a right way to do this, either continuing with the method above or using a subsearch? Alternately is it possible to remove duplicates in the original field extraction so this isn't necessary? Although that option may not be possible as the field extraction isn't handled by ourselves and I can't say too much about it.I have a log as the following and i need to count the number of occurrence of TagID word in such event ( how many times TagID word exist by event ) how can i do that in a search? For instance, in the previous example, the fields could be extracted using: rex ' 200 AND ErrorField!="ERROR-X-" | replace ERROR-X-* with ERROR-X- in ErrorField My two possibles are creating a table of field instances, and then using that to launch a second search, or performing a sub search to capture the unique fields that are then used to count the events by field. I've tried to come up with a way to filter out the duplicates in the search but have so far come up short. ![]() Return the average 'thruput' of each 'host' for each 5 minute time span. I want to first narrow down my search to the events which show messages being sent ('enqueued'), and then count all instances of the string. Bin the search results using a 5 minute time span on the time field. My log files log a bunch of messages in the same instance, so simply search for a message id followed by a count will not work (I will only count 1 per event when I want to count as many as 50 per event). ![]() Return the average for a field for a specific time span. To learn more about the bin command, see How the bin command works. "ErrorField" = ERROR-1234, ERROR-1234, ERROR-5869).Äoing 'stats count by ErrorField' seems to return all items, even the ones that are repeated as we'd get ERROR-1234 = 700 on the stats count, but a simple search where ErrorField=ERROR-1234 returns say 300 events only. The following are examples for using the SPL2 bin command. "ERROR-" -> ERROR-1234, ERROR-5869 etc) meaning as the error code is repeated in the event we get multiple instances of the same item in the field (e.g. If its the former, are you looking to do this over time, i.e. The way it's been setup is that we extract all instances where it matches a certain regex pattern (e.g. Are you looking to calculate the average from daily counts, or from the sum of 7 days worth This is the confusing part. We presently have a setup where error codes are extracted and put into their own field.
0 Comments
Read More
Leave a Reply. |