https://community.splunk.com/t5/Splunk-Search/Get-the-details-events-after-using-stats/m-p/563042#M196164 <P class="lia-align-left">I have a query</P><P>&nbsp;</P><LI-CODE lang="markup">index = "index1" |spath output=error_code input=RAW_DATA path=MsgSts.Cd |dedup SESSIONID |stats count as Total sum(eval(if error_code=2,1,0))) as Error by OPERATION |eval Rate = round ((Error/Total)*100,2) |search Rate&gt;20 |table OPPERAION Rate Error</LI-CODE><P>&nbsp;</P><P>And the table is</P><P>OPERATION | Rate&nbsp;&nbsp; | Error</P><P>VerifyOTP&nbsp;&nbsp;&nbsp;&nbsp; | 24.08 | 310</P><P>Which is what I want because I want to know which OPERATION have more than 20% error rate in a certain time range.<BR />But now the hard part, is I want an alert to send to my email the details of all 310 errors event that show above. Since I use stats command, the only information I got left is Total, Error, Rate and OPERATION.</P><P>How do I get the detail events when the rate hit &gt;20% according to my search ?</P> Thu, 12 Aug 2021 09:37:34 GMT phamxuantung 2021-08-12T09:37:34Z https://community.splunk.com/t5/Splunk-Search/Get-the-details-events-after-using-stats/m-p/563042#M196164 <P class="lia-align-left">I have a query</P><P>&nbsp;</P><LI-CODE lang="markup">index = "index1" |spath output=error_code input=RAW_DATA path=MsgSts.Cd |dedup SESSIONID |stats count as Total sum(eval(if error_code=2,1,0))) as Error by OPERATION |eval Rate = round ((Error/Total)*100,2) |search Rate&gt;20 |table OPPERAION Rate Error</LI-CODE><P>&nbsp;</P><P>And the table is</P><P>OPERATION | Rate&nbsp;&nbsp; | Error</P><P>VerifyOTP&nbsp;&nbsp;&nbsp;&nbsp; | 24.08 | 310</P><P>Which is what I want because I want to know which OPERATION have more than 20% error rate in a certain time range.<BR />But now the hard part, is I want an alert to send to my email the details of all 310 errors event that show above. Since I use stats command, the only information I got left is Total, Error, Rate and OPERATION.</P><P>How do I get the detail events when the rate hit &gt;20% according to my search ?</P> Thu, 12 Aug 2021 09:37:34 GMT https://community.splunk.com/t5/Splunk-Search/Get-the-details-events-after-using-stats/m-p/563042#M196164 phamxuantung 2021-08-12T09:37:34Z https://community.splunk.com/t5/Splunk-Search/Get-the-details-events-after-using-stats/m-p/563046#M196167 <P>Hi</P><P>can you try to uses values(filed1) ... values(fieldN) on your stats? It shows those all different values which fields contain as mv field. Probably not exactly what you are looking, but maybe enough?</P><P>If this is not what you want then you could try to use require-command to check if this query gives answer and then add those events?&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/8.2.1/SearchReference/Require" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.2.1/SearchReference/Require</A></P><P>r. Ismo</P> Thu, 12 Aug 2021 09:51:53 GMT https://community.splunk.com/t5/Splunk-Search/Get-the-details-events-after-using-stats/m-p/563046#M196167 isoutamo 2021-08-12T09:51:53Z https://community.splunk.com/t5/Splunk-Search/Get-the-details-events-after-using-stats/m-p/563047#M196168 <P>Use eventstats</P><LI-CODE lang="markup">index = "index1" |spath output=error_code input=RAW_DATA path=MsgSts.Cd |dedup SESSIONID |eventstats count as Total sum(eval(if error_code=2,1,0))) as Error by OPERATION |eval Rate = round ((Error/Total)*100,2) |search Rate&gt;20</LI-CODE> Thu, 12 Aug 2021 09:52:14 GMT https://community.splunk.com/t5/Splunk-Search/Get-the-details-events-after-using-stats/m-p/563047#M196168 ITWhisperer 2021-08-12T09:52:14Z