Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

index = aws_ubs_n | search log IN ("*error*","*info*","*warn*") | stats count as log

surens
Explorer
‎09-07-2022 12:04 AM

How to count each log value separately?

("*error*","*info*","*warn*")

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-07-2022 12:36 AM

Hi @surens ,

ok, please try this:

index = aws_ubs_n log IN ("*error*","*info*","*warn*") 
| eval kind=case(like(log,"%error%"),"error",like(log,"%info%"),"info",like(log,"%warn%"),"warn")
| stats count AS Log_count BY kind

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

surens
Explorer
‎09-07-2022 12:53 AM

Thanks It's working fine

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-07-2022 12:11 AM

Hi @surens,

did you tried:

index = aws_ubs_n log IN ("*error*","*info*","*warn*") 
| stats count BY log

For more infos see at https://docs.splunk.com/Documentation/Splunk/9.0.1/SearchReference/Stats

Don't use the search command after the main search, it's a best practice to put search conditions as left as possible to have faster searches.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

surens
Explorer
‎09-07-2022 12:30 AM

I want know each log count 

like 

error log    23456

info             873267

 how ?

 

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-07-2022 12:36 AM

Hi @surens ,

ok, please try this:

index = aws_ubs_n log IN ("*error*","*info*","*warn*") 
| eval kind=case(like(log,"%error%"),"error",like(log,"%info%"),"info",like(log,"%warn%"),"warn")
| stats count AS Log_count BY kind

Ciao.

Giuseppe

Reply
Solved! Jump to solution

surens
Explorer
‎09-07-2022 01:02 AM

Now how to get this option in multiselect splunk dashboard ?

 

Field For Label?
log
Field For Value?
what would enter this place ?
Tags (1)
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-07-2022 01:21 AM

Hi @surens,

in a multiselect input, you could use a search like this:

index = aws_ubs_n log IN ("*error*","*info*","*warn*") 
| eval kind=case(like(log,"%error%"),"error",like(log,"%info%"),"info",like(log,"%warn%"),"warn")
| dedup kind
| sort kind
| table kind

and use the kind value both for label and value.

Or use fixed values.

Ciao.

Giuseppe

P.S.: Karma Points are appreciated 😉

Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...