https://community.splunk.com/t5/Reporting/organizing-multiple-responses/m-p/126958#M2874 <P>Can you use the <EM>eval</EM> command to set a new Success/Failure field?</P> <BLOCKQUOTE> <P>sourcetype="WMI:WinEventLog:Application" EventCode=57755 OR EventCode=34112 OR EventCode=34113 OR EventCode=34114 | eval Outcome=case(EventCode==57755 OR EventCode==34112, "Success", EventCode==34113 OR EventCode==34114, "Failure") | search Outcome="Success" | stats count by host, Outcome</P> </BLOCKQUOTE> <P>(Edit: minor fixes to the EventCode search and eval portions.)</P> Mon, 27 Jan 2014 19:07:06 GMT dglinder 2014-01-27T19:07:06Z https://community.splunk.com/t5/Reporting/organizing-multiple-responses/m-p/126956#M2872 <P>How do you query an application log for multiple event codes and then organize them in a report based on what codes were seen?</P> <P>I'm searching 40+ server application logs for backup exec codes and based upon success (34112 or 57755) or failure (34113 or 34114) Output the count to either a success or failure column organized by host name.</P> <P>I know a way (though probably not the best way) to do either a success or failure, but not how to combine.</P> <P>What I've got so far is<BR /> sourcetype="WMI:WinEventLog:Application" EventCode=57755 OR 34112 | stats count by tag, host | rename count as Success</P> <P>It works, but is only looking for instances when thing went correctly.</P> Mon, 27 Jan 2014 18:41:44 GMT https://community.splunk.com/t5/Reporting/organizing-multiple-responses/m-p/126956#M2872 jsmith39 2014-01-27T18:41:44Z https://community.splunk.com/t5/Reporting/organizing-multiple-responses/m-p/126957#M2873 <P>You can append the failure code data:</P> <P><CODE>sourcetype="WMI:WinEventLog:Application" EventCode=57755 OR EventCode=34112 | stats count by tag, host | rename count as Success |append [search index=main sourcetype="WMI:WinEventLog:Application" EventCode=34113 OR EventCode=34114| stats count by tag, host | rename count as Failure]</CODE></P> Mon, 27 Jan 2014 18:59:56 GMT https://community.splunk.com/t5/Reporting/organizing-multiple-responses/m-p/126957#M2873 lukejadamec 2014-01-27T18:59:56Z https://community.splunk.com/t5/Reporting/organizing-multiple-responses/m-p/126958#M2874 <P>Can you use the <EM>eval</EM> command to set a new Success/Failure field?</P> <BLOCKQUOTE> <P>sourcetype="WMI:WinEventLog:Application" EventCode=57755 OR EventCode=34112 OR EventCode=34113 OR EventCode=34114 | eval Outcome=case(EventCode==57755 OR EventCode==34112, "Success", EventCode==34113 OR EventCode==34114, "Failure") | search Outcome="Success" | stats count by host, Outcome</P> </BLOCKQUOTE> <P>(Edit: minor fixes to the EventCode search and eval portions.)</P> Mon, 27 Jan 2014 19:07:06 GMT https://community.splunk.com/t5/Reporting/organizing-multiple-responses/m-p/126958#M2874 dglinder 2014-01-27T19:07:06Z https://community.splunk.com/t5/Reporting/organizing-multiple-responses/m-p/126959#M2875 <P>Thank you very much!<BR /> Both of those queries worked perfectly if differently.</P> Mon, 27 Jan 2014 19:13:50 GMT https://community.splunk.com/t5/Reporting/organizing-multiple-responses/m-p/126959#M2875 jsmith39 2014-01-27T19:13:50Z https://community.splunk.com/t5/Reporting/organizing-multiple-responses/m-p/126960#M2876 <P>Thanks lukejadamec - I've update the example.</P> Mon, 27 Jan 2014 19:25:20 GMT https://community.splunk.com/t5/Reporting/organizing-multiple-responses/m-p/126960#M2876 dglinder 2014-01-27T19:25:20Z https://community.splunk.com/t5/Reporting/organizing-multiple-responses/m-p/126961#M2877 <P>I don't use sub-searches so I always forget their usefulness.</P> Mon, 27 Jan 2014 19:27:47 GMT https://community.splunk.com/t5/Reporting/organizing-multiple-responses/m-p/126961#M2877 dglinder 2014-01-27T19:27:47Z