Display field uniques in search

Question

Hi there,

What I am after is quite straight forward really. I am trying to conduct a search of a particular index (prod_apache) and display any "File does not exist" errors.

This is very easy to accomplish (obviously)... however, I don't want to display the same file over and over again and would just like to display a list of which files don't exist.

Being that this seems like quite a straight forward thing to do (at least in my eyes) I was wondering if anyone knows how I would go about doing it.

Thanks, Aaron.

Accepted Answer

1

index=prod_apache "File does not exist" | dedup file_name

Assuming you've got file_name extracted as a field containing the file name. Or:

index=prod_apache "File does not exist" | stats count by file_name

for a count of how many errors per file.

link

answered 25 Aug '10, 05:23

gkanapathy ♦
32.4k●4●8●27
accept rate: 41%

Thanks again for your help. After I configured the extraction, it worked perfectly.

(25 Aug '10, 22:46) aaronnicoli

Display field uniques in search

Follow this question

Splunk Resources

Related questions