Reputation: 23
Splunk Query Recommendation
I have below log from my application:
BookData, {
id: 12312
}, appID : 'APP1', Relation_ID : asdas-12312
host = aws@asd. sourcetype=service_name
The entire log above is in the form of a single String. I want to create a table with the no. of times an appID has hit the service. i.e. I want to count the no. of events and group them by appID.
Basically, something like:
appID Count
APP1 23
APP2 25
APP3 100
I tried with below query, but it is not working. It is giving as 0 records found.
index=my_index sourcetype=service_name * | table appID Count | addColTotals labelfield=appID label="appID" count
As per my understanding, above query is not working because appID is not a label, but in that case, how do I go about forming the query with my desired result.
Upvotes: 0
Views: 141
Answers (1)
Reputation: 9916
The query doesn't work in part because there is no Count field for the table command to display and no count field for the addcoltotals command to add to the results. To get a count you must tell Splunk to count fields by using the stats, eventstats, streamstats, or timechart command.
Try this:
index=my_index sourcetype=service_name
| stats count as Count by appID
Upvotes: 2
Related Questions
- Separating into separate columns based on 2 delimiters
- How to I use the separate function in R to split a column into as many columns as needed rather than specifying?
- Split column with multiple delimiters
- How do I split a column in R into two columns when I have no delimiter?
- R Split String By Delimiter in a column
- Splitting a column with multiple and unevenly distributed delimiters in R
- Programmatically split non-delimited strings and generate new columns
- How to separate one colmn into multiple based on a character vector of delimiters
- Splitting character string in R based on characters
- Split column at multiple-character delimiter in data frame