0

I have below log from my application:

BookData, {
id: 12312
}, appID : 'APP1', Relation_ID : asdas-12312
host = aws@asd. sourcetype=service_name

The entire log above is in the form of a single String. I want to create a table with the no. of times an appID has hit the service. i.e. I want to count the no. of events and group them by appID.

Basically, something like:

appID Count
APP1    23
APP2    25
APP3    100

I tried with below query, but it is not working. It is giving as 0 records found.

index=my_index sourcetype=service_name * | table appID Count | addColTotals labelfield=appID label="appID" count

As per my understanding, above query is not working because appID is not a label, but in that case, how do I go about forming the query with my desired result.

kselvan9000
  • 23
  • 6

1 Answers1

2

The query doesn't work in part because there is no Count field for the table command to display and no count field for the addcoltotals command to add to the results. To get a count you must tell Splunk to count fields by using the stats, eventstats, streamstats, or timechart command.

Try this:

index=my_index sourcetype=service_name
| stats count as Count by appID
RichG
  • 9,063
  • 2
  • 18
  • 29