![]() (which halfway does explicitly what timechart does under the hood for you) and see if that is what you want. timechart already assigns time to one dimension, so you can only add one other with the by clause. I know that can't use - but I must do it and when I remove it, the results keeping null (0 results). The problem is that you cant split by more than two fields with a chart command. Source="/logfiles.log" | rex "UA=(?\w+)" | stats count(eval(user-agent="")) as TOKYOīut returns the error: Error in 'rex' command: Encountered the following error while compiling the regex 'UA=(?\w+)': Regex: syntax error in subpattern name (missing terminator). The results should be something like: tokyo | new-york | helsing I have data with status codes 100-900 that tracks the progress of a process that happens daily. I just finished the Fundamentals I training and am now wanting to do some more sophisticated things with the SPL. Hi all, first question on Splunk Answers. But after that, they are in 2 columns over 2 different rows. Multiple stats counts on different criteria. Combined: search1 append search search2 stats values (TotalFailures) as S1, values (TotalValues) as S2 eval ratioround (100S1/S2, 2) Need to use append to combine the searches. This example uses eval expressions to specify the different field values for the stats command to count. A user can perform a lot of functions such as finding the average, grouping the results by a field, performing multiple aggregations, finding the range, finding mean and variance, etc. It's more flexible than timechart as the can be something other than time. A user can use more than one function by invoking the stats command, however, a user can make the use of BY clause only once. 13:51:57,533 INFO class:ControllerV1, UA=, GW=įor the example above, I must increment the counter if GW != null, so I've three counters, for tokyo, new-york and helsing. baseSearch stats dc (txnid) as TotalValues. multiple results from rex into their own separate rows. This is an older one - but for reference: I don't think, that this is completely true. ![]() With eventstats I get per logger one line. ![]() 13:51:32,922 INFO class:ControllerV1, UA=, GW= Thanks, but with the stats command I got one line per ID and the loggers in columns next to it. 13:51:31,865 INFO class:ControllerV1, UA=, GW= stats count by Category,Status stats values (Status) AS Status, values (count) AS Count by Category.I'm newbie with Splunk and I'm trying make a query to count how many requests have a determinate value, but this counter must be incremented if a specific attribute is on the request.Įxample: 13:51:28,802 INFO class:ControllerV1, UA=, GW=
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |