Splunk - counting numeric information in events

0
votes

I'm very new to Splunk and wanted to know if the following was possible: I'm trying to set up a dashboard of how many times we had to retry a call to a service. I am currently logging the following text:

number of retries required 0

The number of retries required can vary from 0 to 3

Is there an easy way to query this and display how many times it was either 0, 1, 2 or 3?

Thanks.

1
splunk
Is that string the whole event? Will it always look like that (i.e. ending the number of retries? - Oerd
Yea, thats correct, it will always end in the number of retries. - J145

1 Answers

3
votes

The gist of it is that you need to extract that piece of information into a field and than analyze that field according to your wishes (i.e. via timechart, chart, stats, etc.) Here are two different ways:

  1. you can use the Field Extractor to extract and create a new field from the retries count. This is the recommended long-term option.

  2. use the rex command to extract and define a new field inline.

    search * | rex field=_raw ".+retries required (?<retries>\d)$"

Then you can chart them over time by appending | timechart retries or use the stats command to do some other calculations.