0

My log files log a bunch of messages in the same instance, so simply search for a message id followed by a count will not work (I will only count 1 per event when I want to count as many as 50 per event). I want to first narrow down my search to the events which show messages being sent ("enqueued"), and then count all instances of the string "mid".

Any ideas? I am very bad with splunk. How to I get all instances of "mid" to be a countable field?

index=* service=myservice "enqueued" "mid" | stats count mid
marchocolate
  • 53
  • 1
  • 2
  • 10

1 Answers1

4

Your current search doesn't work because you (probably) don't have a field called 'mid'.
To search for strings within the event you can use rex. Try this.

index=* service=myservice "enqueued" "mid" 
| rex max_match=0 "(?<mids>mid)" 
| eval midCount=mvcount(mids) 
| table midCount

BTW, "index=*" is a bad practice. It forces Splunk to search in every index, which really slows things down. After your first search you should know and use the real index name.

RichG
  • 9,063
  • 2
  • 18
  • 29