https://community.splunk.com/t5/Splunk-Search/How-to-count-valid-and-invalid-requests-at-the-same-time/m-p/522106#M147209 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/226750">@vamshiverma</a>&nbsp;, can you try below and see if you getting the desired results</P><P>index=myindex sourcetype=foo.bar.*<BR />|eval type=if(DETAIL="*error*" OR DETAIL="*exception*","Fail","other")<BR />|stats count(UNIQUE_ID) as Total sum(eval(status="Fail")) as Fail by sourcetype</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 29 Sep 2020 21:20:29 GMT Nisha18789 2020-09-29T21:20:29Z https://community.splunk.com/t5/Splunk-Search/How-to-count-valid-and-invalid-requests-at-the-same-time/m-p/522076#M147201 <P>Hello,</P><P>I want to display the total count of events and failed events count. In my case, it is determined by the field DETAIL</P><P>The following query does return the count by sourcetype "foo.bar.* and having error or exception.</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="python">index=myindex sourcetype=foo.bar.* DETAIL ="*error*" OR DETAIL ="*exception*"| stats count(UNIQUE_ID) as Fail by sourcetype</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><TABLE border="1" width="100%"><TBODY><TR><TD width="50%" height="24px">Sourcetype</TD><TD width="50%" height="24px">Fail</TD></TR><TR><TD width="50%" height="24px">foo.bar.cat</TD><TD width="50%" height="24px">3</TD></TR><TR><TD width="50%">foo.bar.dog</TD><TD width="50%">2</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>&nbsp;</P><P>I tried to query using the following to determine total events for individual sourcetype and the fails for the same. But, the fails are always returned as zero.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="python">index=myindex sourcetype=foo.bar*| eventstats count(UNIQUE_ID) as Total by sourcetype | search index=myindex sourcetype=foo.bar* DETAIL ="*error*" OR DETAIL ="*exception*"|stats count(UNIQUE_ID) as Fail by src| fields sourcetype Total Fail</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><TABLE border="1" width="100%"><TBODY><TR><TD width="33.333333333333336%">Sourcetype</TD><TD width="33.333333333333336%">Total</TD><TD width="33.333333333333336%">Fail</TD></TR><TR><TD width="33.333333333333336%">foo.bar.cat</TD><TD width="33.333333333333336%">153</TD><TD width="33.333333333333336%">0</TD></TR><TR><TD width="33.333333333333336%">foo.bar.dog</TD><TD width="33.333333333333336%">128</TD><TD width="33.333333333333336%">0</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>I tried using subsearch for the below query, but this one doesn't even work at all.</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="python">index=myindex sourcetype=foo.bar*| eventstats count(UNIQUE_ID) as Total by sourcetype | stats count(eval( DETAIL ="*error*" OR DETAIL ="*exception*")) as fail values(Total) as Total by src | fields src Total fail</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>I appreciate your time and support!</P><P>Thanks!!</P> Tue, 29 Sep 2020 18:40:28 GMT https://community.splunk.com/t5/Splunk-Search/How-to-count-valid-and-invalid-requests-at-the-same-time/m-p/522076#M147201 vamshiverma 2020-09-29T18:40:28Z https://community.splunk.com/t5/Splunk-Search/How-to-count-valid-and-invalid-requests-at-the-same-time/m-p/522082#M147204 <P>You may not need a subsearch.&nbsp; Try this query.</P><LI-CODE lang="markup">index=myindex sourcetype=foo.bar* | eval status=if(searchmatch(DETAIL ="*error*" OR DETAIL ="*exception*"), "Fail", "Success") | stats count(UNIQUE_ID) as Total, sum(eval(status="Fail")) as Fail by sourcetype | fields sourcetype Total Fail</LI-CODE> Tue, 29 Sep 2020 18:40:53 GMT https://community.splunk.com/t5/Splunk-Search/How-to-count-valid-and-invalid-requests-at-the-same-time/m-p/522082#M147204 richgalloway 2020-09-29T18:40:53Z https://community.splunk.com/t5/Splunk-Search/How-to-count-valid-and-invalid-requests-at-the-same-time/m-p/522091#M147205 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;Thank you for the reply, I appreciate it.</P><P>I tried to run the same query but it is throwing <FONT color="#008000"><EM>"<SPAN>Error in 'eval' command: The arguments to the 'searchmatch' function are invalid."&nbsp;&nbsp;</SPAN></EM></FONT></P><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="sasd.PNG" style="width: 837px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/11039iEC78D58E122FEF3C/image-size/large?v=v2&amp;px=999" role="button" title="sasd.PNG" alt="sasd.PNG" /></span></P> Tue, 29 Sep 2020 19:58:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-count-valid-and-invalid-requests-at-the-same-time/m-p/522091#M147205 vamshiverma 2020-09-29T19:58:24Z https://community.splunk.com/t5/Splunk-Search/How-to-count-valid-and-invalid-requests-at-the-same-time/m-p/522097#M147208 <P>Sorry about that.&nbsp; Try this alternative.</P><LI-CODE lang="markup">index=myindex sourcetype=foo.bar* | eval status=case(searchmatch(DETAIL ="*error*"), "Fail", searchmatch(DETAIL ="*exception*"), "Fail", 1==1, "Success") | stats count(UNIQUE_ID) as Total, sum(eval(status="Fail")) as Fail by sourcetype | fields sourcetype Total Fail</LI-CODE> Tue, 29 Sep 2020 20:42:26 GMT https://community.splunk.com/t5/Splunk-Search/How-to-count-valid-and-invalid-requests-at-the-same-time/m-p/522097#M147208 richgalloway 2020-09-29T20:42:26Z https://community.splunk.com/t5/Splunk-Search/How-to-count-valid-and-invalid-requests-at-the-same-time/m-p/522106#M147209 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/226750">@vamshiverma</a>&nbsp;, can you try below and see if you getting the desired results</P><P>index=myindex sourcetype=foo.bar.*<BR />|eval type=if(DETAIL="*error*" OR DETAIL="*exception*","Fail","other")<BR />|stats count(UNIQUE_ID) as Total sum(eval(status="Fail")) as Fail by sourcetype</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 29 Sep 2020 21:20:29 GMT https://community.splunk.com/t5/Splunk-Search/How-to-count-valid-and-invalid-requests-at-the-same-time/m-p/522106#M147209 Nisha18789 2020-09-29T21:20:29Z https://community.splunk.com/t5/Splunk-Search/How-to-count-valid-and-invalid-requests-at-the-same-time/m-p/522158#M147225 <LI-CODE lang="markup">index=myindex sourcetype=foo.bar* | eval status=case(like(DETAIL,"%error%"),"Fail",like(DETAIL,"%exception%"),"Fail",true(), "Success") | stats count(UNIQUE_ID) as Total, sum(eval(status="Fail")) as Fail by sourcetype | fields sourcetype Total Fail</LI-CODE><P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/226750">@vamshiverma</a>&nbsp;, can you please try using&nbsp; above.&nbsp;</P><P>&nbsp;</P><P>Regards,</P><P>Ankush</P><P>&nbsp;</P> Wed, 30 Sep 2020 06:05:20 GMT https://community.splunk.com/t5/Splunk-Search/How-to-count-valid-and-invalid-requests-at-the-same-time/m-p/522158#M147225 askkawalkar 2020-09-30T06:05:20Z https://community.splunk.com/t5/Splunk-Search/How-to-count-valid-and-invalid-requests-at-the-same-time/m-p/522194#M147240 <P>Thank you!&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/148093">@askkawalkar</a>. It helped a lot. Awesome!<span class="lia-unicode-emoji" title=":smiling_face_with_smiling_eyes:">😊</span></P> Wed, 30 Sep 2020 08:55:47 GMT https://community.splunk.com/t5/Splunk-Search/How-to-count-valid-and-invalid-requests-at-the-same-time/m-p/522194#M147240 vamshiverma 2020-09-30T08:55:47Z https://community.splunk.com/t5/Splunk-Search/How-to-count-valid-and-invalid-requests-at-the-same-time/m-p/522195#M147241 <P>Thank you !!&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/215670">@Nisha18789</a>&nbsp; , it's working.&nbsp;<span class="lia-unicode-emoji" title=":grinning_face:">😀</span></P> Wed, 30 Sep 2020 08:50:39 GMT https://community.splunk.com/t5/Splunk-Search/How-to-count-valid-and-invalid-requests-at-the-same-time/m-p/522195#M147241 vamshiverma 2020-09-30T08:50:39Z https://community.splunk.com/t5/Splunk-Search/How-to-count-valid-and-invalid-requests-at-the-same-time/m-p/522196#M147242 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp; &nbsp;slick and smooth way to solve, thanks a lot!!&nbsp;<span class="lia-unicode-emoji" title=":smiling_face_with_smiling_eyes:">😊</span></P> Wed, 30 Sep 2020 08:53:01 GMT https://community.splunk.com/t5/Splunk-Search/How-to-count-valid-and-invalid-requests-at-the-same-time/m-p/522196#M147242 vamshiverma 2020-09-30T08:53:01Z https://community.splunk.com/t5/Splunk-Search/How-to-count-valid-and-invalid-requests-at-the-same-time/m-p/522198#M147243 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/226750">@vamshiverma</a>&nbsp;, Kindly accept answer for question, which is most helpful, So that others can use it if required.&nbsp;</P><P>Regards,&nbsp;</P><P>Ankush</P> Wed, 30 Sep 2020 08:56:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-count-valid-and-invalid-requests-at-the-same-time/m-p/522198#M147243 askkawalkar 2020-09-30T08:56:59Z https://community.splunk.com/t5/Splunk-Search/How-to-count-valid-and-invalid-requests-at-the-same-time/m-p/522253#M147262 <P>If your problem is resolved, then please click the "Accept as Solution" button to help future readers.</P> Wed, 30 Sep 2020 12:56:40 GMT https://community.splunk.com/t5/Splunk-Search/How-to-count-valid-and-invalid-requests-at-the-same-time/m-p/522253#M147262 richgalloway 2020-09-30T12:56:40Z