I'm new to Splunk. I need to get a count of each of the error messages from our logs. I tried writing the below search query but it is not working as expected.
index="my_index" source="my_service.log" logger="com.xyz.splunk.logger.*" severity="ERROR" |eval errorType=case(Message=="mandatory field field1 is null", "missing field1", Message=="mandatory field field2 is null", "missing field2", Message=="mandatory field field1 has invalid value", "invalid field1") | stats count by errorType
Can you provide some sample events? Why do you say it is not working as expected?
I am guessing you will need to use matchon the Message field, to match the partial string, but this is only a guess, based on lack of sample events.
index="my_index" source="my_service.log" logger="com.xyz.splunk.logger.*" severity="ERROR"
| eval errorType=case(
match(Message, "mandatory field field1 is null"), "missing field1",
match(Message, "mandatory field field2 is null"), "missing field2",
match(Message, "mandatory field field1 has invalid value"), "invalid field1"
)
| stats count by errorType