Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

count over a subtime

sirdomi
New Member
‎05-05-2014 07:03 AM

Hello

I have the following query which gives me a grouped list of the java stacktraces with a total count:

tag::eventtype="host5" LogLevel="ERROR" | stats sparkline(count) as sparkline, count by CallstackEntry | sort count desc

How can I add an additional column with a count of the errors during the last hour?

Thank you very much!
Domi

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎05-05-2014 12:43 PM

You can do this:

tag::eventtype="host5" LogLevel="ERROR" | eval 1h_ago = if(_time >= relative_time(now(), "-h"), 1, 0)
| stats sparkline(count) as sparkline count sum(1h_ago) as count_last_hour by CallstackEntry
| sort count desc

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎05-05-2014 12:43 PM

You can do this:

tag::eventtype="host5" LogLevel="ERROR" | eval 1h_ago = if(_time >= relative_time(now(), "-h"), 1, 0)
| stats sparkline(count) as sparkline count sum(1h_ago) as count_last_hour by CallstackEntry
| sort count desc
Reply
Solved! Jump to solution

sirdomi
New Member
‎05-06-2014 12:09 AM

Thank you very much for this elegant solution Martin!

0 Karma
Reply
Solved! Jump to solution

cramasta
Builder
‎05-05-2014 12:47 PM

very nice solution.

0 Karma
Reply
Solved! Jump to solution

sirdomi
New Member
‎05-05-2014 08:47 AM

Thanks, but I want the number of occurences of this errormessage during the last hour..

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎05-05-2014 08:45 AM

If the columns that you want to add are unique for that error/CallstackEntry, then you can add them by adding first(fieldName) into your stats. e.g.

ag::eventtype="host5" LogLevel="ERROR" | stats sparkline(count) as sparkline, count, first(errorMessage) as errorMessage, first(severity) as severity by CallstackEntry | sort count desc

0 Karma
Reply
Solved! Jump to solution

sirdomi
New Member
‎05-05-2014 07:35 AM

Hi somesoni2

The log file contains java logs with errors (stack traces).
The query gives a list of these errors (grouped together) and the corresponding count of each error over the whole time.
What I want is an additional column with just the count over the last day for each error.

Regards, Domi

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎05-05-2014 07:24 AM

What other columns you want to add? Can you provide sample logs along with the expected output?

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...