https://community.splunk.com/t5/Deployment-Architecture/Count-the-Error-Info-and-Warnings/m-p/445095#M21196 <P>Thanks for your response Renjith.</P> <P>Same Log is <BR /> "12-15 20:22:55,671 ERROR - logs/app/fmapp1 12-15,20:22:32.734 ios55 1-426 0 2 DDC1-4 connect fail XXX:XXX Connection refused (Connection refused)"</P> <P>"12-15 20:22:55,671 Info- logs/app/fmapp1 12-15,20:22:32.734 ios55 1-426 0 2 DDC1-4 Connected</P> <P>Currently am using below search.<BR /> index = bla source="<EM>" Field2=</EM> host=* |top 1 Field2 by source, host |rename Field2 as Status, host as HOST</P> <P>Filed2 is ERROR, INFO or WARN</P> <P>Output am getting at present is:<BR /> source↕ HOST↕ Status↕ count↕ percent↕<BR /> app/log.txt ServerName INFO 95 100.000000 </P> <P>Expected Output i need is similar to:<BR /> Source↕ HOST↕ Status↕ count↕ percent↕ Status↕ count↕ percent↕ Status↕ count↕ percent↕<BR /> app/log.txt ServerName INFO 95 100 Error 0 0 Warn 0 0 </P> Mon, 24 Dec 2018 15:21:46 GMT a508184 2018-12-24T15:21:46Z https://community.splunk.com/t5/Deployment-Architecture/Count-the-Error-Info-and-Warnings/m-p/445092#M21193 <P>Am very new to splunk, i need a query to get the count and percentage of Error, Info and Warnings in a table.</P> <P>Error, Info and Warnings filed is already extracted.</P> <P>Thanks in advance team.</P> <P>Thanks,<BR /> Nithin Setty</P> Mon, 24 Dec 2018 13:39:28 GMT https://community.splunk.com/t5/Deployment-Architecture/Count-the-Error-Info-and-Warnings/m-p/445092#M21193 a508184 2018-12-24T13:39:28Z https://community.splunk.com/t5/Deployment-Architecture/Count-the-Error-Info-and-Warnings/m-p/445093#M21194 <P>@a508184, <BR /> Nithin, are these values of a field Status or do you have fields called Error,Info ,etc with count , for e.g.</P> <PRE><CODE>Error Warning Info 12 10 15 </CODE></PRE> <P>Would be nice if you could share some sample events (anonymize confidential data)</P> Mon, 24 Dec 2018 14:01:24 GMT https://community.splunk.com/t5/Deployment-Architecture/Count-the-Error-Info-and-Warnings/m-p/445093#M21194 renjith_nair 2018-12-24T14:01:24Z https://community.splunk.com/t5/Deployment-Architecture/Count-the-Error-Info-and-Warnings/m-p/445094#M21195 <P>What queries have you tried so far?<BR /> Are Error, Info, and Warnings separate fields or possible values of a single field? </P> Mon, 24 Dec 2018 14:02:26 GMT https://community.splunk.com/t5/Deployment-Architecture/Count-the-Error-Info-and-Warnings/m-p/445094#M21195 richgalloway 2018-12-24T14:02:26Z https://community.splunk.com/t5/Deployment-Architecture/Count-the-Error-Info-and-Warnings/m-p/445095#M21196 <P>Thanks for your response Renjith.</P> <P>Same Log is <BR /> "12-15 20:22:55,671 ERROR - logs/app/fmapp1 12-15,20:22:32.734 ios55 1-426 0 2 DDC1-4 connect fail XXX:XXX Connection refused (Connection refused)"</P> <P>"12-15 20:22:55,671 Info- logs/app/fmapp1 12-15,20:22:32.734 ios55 1-426 0 2 DDC1-4 Connected</P> <P>Currently am using below search.<BR /> index = bla source="<EM>" Field2=</EM> host=* |top 1 Field2 by source, host |rename Field2 as Status, host as HOST</P> <P>Filed2 is ERROR, INFO or WARN</P> <P>Output am getting at present is:<BR /> source↕ HOST↕ Status↕ count↕ percent↕<BR /> app/log.txt ServerName INFO 95 100.000000 </P> <P>Expected Output i need is similar to:<BR /> Source↕ HOST↕ Status↕ count↕ percent↕ Status↕ count↕ percent↕ Status↕ count↕ percent↕<BR /> app/log.txt ServerName INFO 95 100 Error 0 0 Warn 0 0 </P> Mon, 24 Dec 2018 15:21:46 GMT https://community.splunk.com/t5/Deployment-Architecture/Count-the-Error-Info-and-Warnings/m-p/445095#M21196 a508184 2018-12-24T15:21:46Z https://community.splunk.com/t5/Deployment-Architecture/Count-the-Error-Info-and-Warnings/m-p/445096#M21197 <P>Thanks for your response Rich.</P> <P>Same Log is <BR /> "12-15 20:22:55,671 ERROR - logs/app/fmapp1 12-15,20:22:32.734 ios55 1-426 0 2 DDC1-4 connect fail XXX:XXX Connection refused (Connection refused)"</P> <P>"12-15 20:22:55,671 Info- logs/app/fmapp1 12-15,20:22:32.734 ios55 1-426 0 2 DDC1-4 Connected</P> <P>Currently am using below search.<BR /> index = bla source="<EM>" Field2=</EM> host=* |top 1 Field2 by source, host |rename Field2 as Status, host as HOST</P> <P>Filed2 is ERROR, INFO or WARN</P> <P>Output am getting at present is:<BR /> source↕ HOST↕ Status↕ count↕ percent↕<BR /> app/log.txt ServerName INFO 95 100.000000 </P> <P>Expected Output i need is similar to:<BR /> Source↕ HOST↕ Status↕ count↕ percent↕ Status↕ count↕ percent↕ Status↕ count↕ percent↕<BR /> app/log.txt ServerName INFO 95 100 Error 0 0 Warn 0 0 </P> Mon, 24 Dec 2018 15:22:05 GMT https://community.splunk.com/t5/Deployment-Architecture/Count-the-Error-Info-and-Warnings/m-p/445096#M21197 a508184 2018-12-24T15:22:05Z https://community.splunk.com/t5/Deployment-Architecture/Count-the-Error-Info-and-Warnings/m-p/445097#M21198 <P>Try this:</P> <P>index = bla source="" Field2=* host=* | stats count as total, count(eval(Field2="INFO")) as Info, count(eval(Field2="WARN")) as Warn, count(eval(Field2="ERROR")) as Error by source host | eval InfoPct=round(Info*100/total),2), WarnPct=round(Warn*100/total,2), ErrorPct=round(Error*100/total,2) | table source host Field2 Info InfoPct Warn WarnPct Error ErrorPct</P> Tue, 29 Sep 2020 22:32:05 GMT https://community.splunk.com/t5/Deployment-Architecture/Count-the-Error-Info-and-Warnings/m-p/445097#M21198 richgalloway 2020-09-29T22:32:05Z https://community.splunk.com/t5/Deployment-Architecture/Count-the-Error-Info-and-Warnings/m-p/445098#M21199 <P>Thanks Rich for your help</P> Wed, 26 Dec 2018 11:58:49 GMT https://community.splunk.com/t5/Deployment-Architecture/Count-the-Error-Info-and-Warnings/m-p/445098#M21199 a508184 2018-12-26T11:58:49Z