topic how to append query ? in Splunk Search

how to append query ?

venkat0896 — Wed, 26 Jun 2019 09:59:23 GMT

Hi Guys
i have 3 queries

query 1 : identity/phones/retrieve AND "[HTTP-STATUS-CODE]" | stats count as Total
query 2 : identity/phones/retrieve AND "[HTTP-STATUS-CODE]=200" | stats count as 200-Success
query 3 : identity/phones/retrieve AND "[HTTP-STATUS-CODE]=403" | stats count as 403-Forbidden

how can i append this 3 queries and i want this to looks like a table with 3 columns
Total | 200-Success | 403-Forbidden

please help on this .. Thanks in advance

Re: how to append query ?

renjith_nair — Wed, 26 Jun 2019 11:45:35 GMT

@venkat0896 ,

Try ,

"your base search"|stats count as Total,count(eval(HTTP-STATUS-CODE==200)) as 200-Success,count(eval(HTTP-STATUS-CODE=="403")) as 403-Forbidden

Re: how to append query ?

venkat0896 — Wed, 26 Jun 2019 12:24:00 GMT

hi @renjith.nair i tried it
getting this error

Error in 'stats' command: The eval expression for dynamic field 'eval(HTTP-STATUS-CODE=="403")' is invalid. Error='Typechecking failed. The '==' operator received different types.'

Re: how to append query ?

renjith_nair — Wed, 26 Jun 2019 12:28:38 GMT

@venkat0896 , is it possible to share the stats part of your search? Please check if you have used the status codes as string (with ") and numeric (without ") in two places and if yes, change it to single format