Solved: Display field uniques in search

aaronnicoli · ‎08-25-2010

Hi there,

What I am after is quite straight forward really. I am trying to conduct a search of a particular index (prod_apache) and display any "File does not exist" errors.

This is very easy to accomplish (obviously)... however, I don't want to display the same file over and over again and would just like to display a list of which files don't exist.

Being that this seems like quite a straight forward thing to do (at least in my eyes) I was wondering if anyone knows how I would go about doing it.

Thanks, Aaron.

gkanapathy · ‎08-25-2010

index=prod_apache "File does not exist" | dedup file_name

Assuming you've got file_name extracted as a field containing the file name. Or:

index=prod_apache "File does not exist" | stats count by file_name

for a count of how many errors per file.

View solution in original post

gkanapathy · ‎08-25-2010

index=prod_apache "File does not exist" | dedup file_name

Assuming you've got file_name extracted as a field containing the file name. Or:

index=prod_apache "File does not exist" | stats count by file_name

for a count of how many errors per file.

aaronnicoli · ‎08-25-2010

Thanks again for your help.
After I configured the extraction, it worked perfectly.

Display field uniques in search

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life