Reputation: 1962
Splunk get combined result from 2 events
I am splunk noob trying to write a query for a couple of hours but not successful so far. I want to count the number of times the command 'install' was triggered and the exit code was '0' Each install command writes log in a new file with format 'install_timestamp' so I am searching for source="install*"
Using 2 source files as example
source1:
event1:command=install
... //a couple of other events
event100:exit_code=0
source2:
event1:command=install -f
... //a couple of other events
event100:exit_code=0
In this case I want the result to be 1. Only 1 occurrence of exit_code=0 when command was 'install' (not -f) The thing that's confusing me is that the information for command and exit_code is in different events, I can get each of the two events separately but able to figure out how to get the combined result.
Any tips on how can I achieve the result I want ? - Thanks!
Upvotes: 1
Views: 648
Answers (1)
Reputation: 103
It's a little crude but you could do something like this...
("One String" NOT "Bad String") OR "Another String" | stats count by source | where count > 1
It will basically give you a list of files that contain events matching both strings. For your example this would be something like...
("command=install" NOT "-f") OR "exit_code=0" | stats count by source | where count > 1
Upvotes: 0
Related Questions
- Splunk : extract multiple values from each event
- Join two Splunk queries without predefined fields
- How to filter out events before joining datasets with stats
- Group events by multiple fields in Splunk
- How to merge two stats by in Splunk?
- Splunk: Stats from multiple events and expecting one combined output
- How to append two queries in splunk?
- show results from two splunk queries into one
- How to combine two queries in Splunk?
- Splunk combining multiple logs