topic Re: how to write query to show only failure records from the following query with field filter is Applicationstatus_MFT!="Success" in Splunk Search

how to write query to show only failure records from the following query with field filter is Applicationstatus_MFT!="Success"

Malliv — Tue, 29 Sep 2020 20:08:10 GMT

index=axway* sourcetype=":messages" SENDERROUTINGID="KNPROD" |stats count by PRODUCTIONFILENAME|fields - count |rename PRODUCTIONFILENAME as FileName |join type=left FileName [search index=axway APPLICATION="CRD_3PL_TO_S4_GOODSRCPT" STATE=* | eval temp=split(FILENAME,"/")| eval count=mvcount(temp)| eval FileName=mvindex(temp,-1) |eval status=if(STATE like "%COMPLETE%" ,"Success","Failure") |stats latest(status) as status by APPLICATION FileName |stats count(eval(status="Failure")) as FailureCount by FileName APPLICATION status |replace CRD_3PL_TO_S4_GOODSRCPT
WITH "IDD_CRD_SCS_022" IN APPLICATION |rename APPLICATION as InterfaceID ] |eval Applicationstatus_MFT=if(status="_", "Failure","Success") |table InterfaceID FileName Applicationstatus_MFT |stats count(FileName) as FileVolume count(eval(Applicationstatus_MFT!="Success")) as FailFileCount by InterfaceID Applicationstatus_MFT

Re: how to write query to show only failure records from the following query with field filter is Applicationstatus_MFT!="Success"

kmaron — Fri, 22 Jun 2018 13:38:33 GMT

You can just add | search ApplicationStatus_MFT!="Success" after your eval that creates Applicationstatus_MFT.

Though if you area only showing failures you may be able to remove some of the other pieces from your query.

Re: how to write query to show only failure records from the following query with field filter is Applicationstatus_MFT!="Success"

Malliv — Mon, 25 Jun 2018 11:04:07 GMT

When I run with the above command :I got this message "no results found yet". Right now I dont have failed records so should I trust this query as correct?