https://community.splunk.com/t5/Splunk-Search/How-to-group-results-from-two-rex-together-into-one-Column-Chart/m-p/370199#M165175 <P>I am doing a search query where there will be a dynamic client ID with either a success or a failure result code -- I want to look at all the successes and failures based on a client ID. </P> <P>The client ID always comes after the method name, a comma, the code (for success or failure), a space and comma, then the client ID followed by a comma. This is an example of what the event logs look like: </P> <PRE><CODE>&lt;A bunch of random logging stuff&gt; ~aStaticMethodName,SuccessOrFailureCode5555 ,ClientID, &lt;Another bunch of random logging stuff&gt; </CODE></PRE> <P>I am using 'rex' to find the Client IDs for both the successes or failures by client ID like this: </P> <PRE><CODE>"My Search Here" | rex "~myMethod,successCode0000 ,(?&lt;success&gt;[^,]+)," | rex "~myMethod,failureCode1111 ,(?&lt;failure&gt;[^,]+)," </CODE></PRE> <P>I then add a <CODE>| chart count by success</CODE> (or change the success to failure) and can get an output looking like this:</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/3857iA16DAB3BD4D79758/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>The successes and failures will have common client IDs (client A, client B, etc). </P> <P>What I want to do, is combine both success and failure into one chart grouped by client ID like this:</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/3858i19AE7B4173DA7403/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>Is there a way to do this in Splunk? Help is greatly appreciated!</P> Tue, 14 Nov 2017 20:32:54 GMT lordhans 2017-11-14T20:32:54Z https://community.splunk.com/t5/Splunk-Search/How-to-group-results-from-two-rex-together-into-one-Column-Chart/m-p/370199#M165175 <P>I am doing a search query where there will be a dynamic client ID with either a success or a failure result code -- I want to look at all the successes and failures based on a client ID. </P> <P>The client ID always comes after the method name, a comma, the code (for success or failure), a space and comma, then the client ID followed by a comma. This is an example of what the event logs look like: </P> <PRE><CODE>&lt;A bunch of random logging stuff&gt; ~aStaticMethodName,SuccessOrFailureCode5555 ,ClientID, &lt;Another bunch of random logging stuff&gt; </CODE></PRE> <P>I am using 'rex' to find the Client IDs for both the successes or failures by client ID like this: </P> <PRE><CODE>"My Search Here" | rex "~myMethod,successCode0000 ,(?&lt;success&gt;[^,]+)," | rex "~myMethod,failureCode1111 ,(?&lt;failure&gt;[^,]+)," </CODE></PRE> <P>I then add a <CODE>| chart count by success</CODE> (or change the success to failure) and can get an output looking like this:</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/3857iA16DAB3BD4D79758/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>The successes and failures will have common client IDs (client A, client B, etc). </P> <P>What I want to do, is combine both success and failure into one chart grouped by client ID like this:</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/3858i19AE7B4173DA7403/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>Is there a way to do this in Splunk? Help is greatly appreciated!</P> Tue, 14 Nov 2017 20:32:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-group-results-from-two-rex-together-into-one-Column-Chart/m-p/370199#M165175 lordhans 2017-11-14T20:32:54Z https://community.splunk.com/t5/Splunk-Search/How-to-group-results-from-two-rex-together-into-one-Column-Chart/m-p/370200#M165176 <P>try something like this:</P> <PRE><CODE>"My Search Here" | rex "~myMethod,successCode0000 ,(?&lt;success&gt;[^,]+)," | rex "~myMethod,failureCode1111 ,(?&lt;failure&gt;[^,]+)," | eval clients=coalesce(success,failure) | stats count(success) as success count(failure) as failure by clients </CODE></PRE> Tue, 14 Nov 2017 20:40:35 GMT https://community.splunk.com/t5/Splunk-Search/How-to-group-results-from-two-rex-together-into-one-Column-Chart/m-p/370200#M165176 cmerriman 2017-11-14T20:40:35Z https://community.splunk.com/t5/Splunk-Search/How-to-group-results-from-two-rex-together-into-one-Column-Chart/m-p/370201#M165177 <P>Try like this</P> <PRE><CODE>"My Search Here" | rex "~myMethod,(?&lt;status&gt;[^,]+) ,(?&lt;clientID&gt;[^,]+)," | replace "successCode0000" with "Success" "failureCode1111" with "Failure" in status | chart count over clientID by status </CODE></PRE> Tue, 14 Nov 2017 20:40:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-group-results-from-two-rex-together-into-one-Column-Chart/m-p/370201#M165177 somesoni2 2017-11-14T20:40:48Z