Reputation: 53
Splunk: Get a count of all occurrences of a string?
My log files log a bunch of messages in the same instance, so simply search for a message id followed by a count will not work (I will only count 1 per event when I want to count as many as 50 per event). I want to first narrow down my search to the events which show messages being sent ("enqueued"), and then count all instances of the string "mid".
Any ideas? I am very bad with splunk. How to I get all instances of "mid" to be a countable field?
index=* service=myservice "enqueued" "mid" | stats count mid
Upvotes: 0
Views: 14054
Answers (1)
Reputation: 9936
Your current search doesn't work because you (probably) don't have a field called 'mid'.
To search for strings within the event you can use rex. Try this.
index=* service=myservice "enqueued" "mid"
| rex max_match=0 "(?<mids>mid)"
| eval midCount=mvcount(mids)
| table midCount
BTW, "index=*" is a bad practice. It forces Splunk to search in every index, which really slows things down. After your first search you should know and use the real index name.
Upvotes: 4
Related Questions
- Splunk query - Total or Count by field
- Splunk - How to count occurrences of a string by an extracted field?
- Splunk: count by Id
- Splunk Query - Search unique exception from logs with counts
- Splunk: Matching an error log and obtaining the count of it
- [splunk]: Obtain a count of hits in a query of regexes
- How to count the total number of events in a splunk search result?
- How to count specific value occurrences in the same field?
- splunk query for counting based on regex
- Splunk Query Count of Count