![]() ![]() This should result in the following results: Platform | Amount Windows run has 0 errors (none found in query 2).So lets say we have the following simulation: Now, I am looking for a way to combine the above two queries into one and count the amount of platforms that have at least one error. ![]() Using RUNID I can look for errors ( query two): index="myIndex" source="/*/RUNID/*" CASE("ERROR") CTJT* RUNID is what I need to use in a second search when looking for errors: | rex "Discovery run, (?.+) started with profile" Using the following piece of code I can extract RUNID from the events. This is a table with the amount of Discovery runs per platform: The above query will return a list of events containing the raw data above and will result in the following table. ![]() The events found from above query contains the following (raw) : Discovery run, 2021101306351355 started with profile BD_L2_Windows | eval Platform=case(searchmatch("LINUX"),"LINUX",searchmatch("AIX"),"AIX",searchmatch("DB2"),"DB2", searchmatch("SQL"),"SQL", searchmatch("WEBSPHERE"),"WEBSPHERE", searchmatch("SYBASE"),"SYBASE", searchmatch("WINDOWS"),"WINDOWS", true(),"ZLINUX") To make things more clear I have the following search query ( query one): index="myIndex" "started with profile" BD_L* Then I want to use the profile name to look for other events (from a different source) and if one error or more are found, I would like to let it count as one found error, per platform. In Splunk, I am looking for logs that say "started with profile: " and retrieve the profile name from found events. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |