topic Re: grouping data in search in Splunk Search

grouping data in search

joegrossman — Tue, 08 May 2012 00:50:35 GMT

I am serching a log that has statuses. When I run the search and chart it, I get a bar for each status. There are, say, 10 statuses. Instead, I want to group the data into 2 results: one result is the count of status < 400, and the other is the count of status >= 400. Any idea how I get this?

Re: grouping data in search

mwhite_splunk — Tue, 08 May 2012 01:17:28 GMT

Can you please paste the search you are currently using to do this?

Re: grouping data in search

kristian_kolb — Tue, 08 May 2012 07:08:47 GMT

Like this.

   ... | stats c(eval(status<400)) AS low c(eval(status>=400)) AS high

Please note that you need to rename the fields with AS like above.

EDIT: changed so that the exact value of 400 would be counted as 'high'.

Hope this helps,

Kristian

Re: grouping data in search

joegrossman — Tue, 08 May 2012 19:08:25 GMT

Thanks Kristian! This worked. I tweaked it a bit because I hadn't put my question clearly, but your syntax worked. Here is what I ended up with:
...| timechart c(eval(status>400)) AS FAILURE c(eval(status<=400)) AS SUCCESS

Re: grouping data in search

kristian_kolb — Tue, 08 May 2012 19:13:51 GMT

Good to hear. Please mark as answered and/or upvote. Thanks, Kristian