https://community.splunk.com/t5/Splunk-Search/Stats-for-multiple-fields-in-the-same-table/m-p/632888#M219837 <LI-CODE lang="markup">| eval count=mvrange(0, count) | mvexpand count | untable count error status | eval status=if(status="NA","Success","Failure") | chart count by error status</LI-CODE> Wed, 01 Mar 2023 22:50:16 GMT ITWhisperer 2023-03-01T22:50:16Z https://community.splunk.com/t5/Splunk-Search/Stats-for-multiple-fields-in-the-same-table/m-p/632853#M219825 <P>I have logs like below:</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">{ [-] TransactionName: "my TransactionName" type1Error: NA eventTime: 2023-02-28 11:16:52.961 type2Error: NA type3Error: NA }</LI-CODE><LI-CODE lang="markup">{ [-] TransactionName: "my TransactionName" type1Error: NA eventTime: 2023-02-28 11:16:52.961 type2Error: Missing Field type3Error: NA }</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>I have framed a below query:</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">index=my_idx | stats count by type1Error, type2Error, type3Error</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>Which gives me result like:</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">--------------------------------------------------------- type1Error type2Error type3Error count --------------------------------------------------------- NA NA NA 1 NA NA Missing Field 1 ---------------------------------------------------------</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>But then, it would be better if I can bring it for success and failures separately. Like:</P> <P>Create 2 new queries for errors with NA and not NA:</P> <P><STRONG>NA</STRONG>:</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">---------------------------------------------------- Success count ---------------------------------------------------- type1Error 2 type2Error 2 type3Error 1 ----------------------------------------------------</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P><STRONG>Not NA</STRONG>:</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">---------------------------------------------------- Failure count ---------------------------------------------------- type1Error 0 type2Error 0 type3Error 1 ----------------------------------------------------</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>How can we achieve this? Not getting a clear picture on how to frame a query for this. Tried using chart, but no luck !!</P> Thu, 02 Mar 2023 15:22:03 GMT https://community.splunk.com/t5/Splunk-Search/Stats-for-multiple-fields-in-the-same-table/m-p/632853#M219825 Nidd 2023-03-02T15:22:03Z https://community.splunk.com/t5/Splunk-Search/Stats-for-multiple-fields-in-the-same-table/m-p/632885#M219835 <P>You could do something like this</P><LI-CODE lang="markup">| foreach type*Error [ eval &lt;&lt;FIELD&gt;&gt;=if('&lt;&lt;FIELD&gt;&gt;'="NA", 0, 1) ] | stats count sum(*) as * | eval type="Failures" | appendpipe [ | foreach type*Error [ eval &lt;&lt;FIELD&gt;&gt;=count-&lt;&lt;FIELD&gt;&gt; ] | eval type="Success" ] | fields - count | transpose 0 header_field=type column_name=Type</LI-CODE><P>which is generic and does not care how many types of error you have - in this case 3. It will put both success/fail in same table.</P><P>&nbsp;</P> Wed, 01 Mar 2023 22:16:20 GMT https://community.splunk.com/t5/Splunk-Search/Stats-for-multiple-fields-in-the-same-table/m-p/632885#M219835 bowesmana 2023-03-01T22:16:20Z https://community.splunk.com/t5/Splunk-Search/Stats-for-multiple-fields-in-the-same-table/m-p/632887#M219836 <P>Or if you just want a single query for failures</P><LI-CODE lang="markup">... search ... | stats sum(eval(if(type1Error!="NA",1,0))) as type1Error sum(eval(if(type2Error!="NA",1,0))) as type2Error sum(eval(if(type3Error!="NA",1,0))) as type3Error | transpose 0 column_name=Type | rename "row 1" as Failures</LI-CODE><P>and change the stats for successes. Note that this means you always need to know the field names.</P><P>You can always use the previous query for both if you're going to use this in a dashboard by making it a base search and then just removing the field you don't want in the post processing search.</P> Wed, 01 Mar 2023 22:30:53 GMT https://community.splunk.com/t5/Splunk-Search/Stats-for-multiple-fields-in-the-same-table/m-p/632887#M219836 bowesmana 2023-03-01T22:30:53Z https://community.splunk.com/t5/Splunk-Search/Stats-for-multiple-fields-in-the-same-table/m-p/632888#M219837 <LI-CODE lang="markup">| eval count=mvrange(0, count) | mvexpand count | untable count error status | eval status=if(status="NA","Success","Failure") | chart count by error status</LI-CODE> Wed, 01 Mar 2023 22:50:16 GMT https://community.splunk.com/t5/Splunk-Search/Stats-for-multiple-fields-in-the-same-table/m-p/632888#M219837 ITWhisperer 2023-03-01T22:50:16Z https://community.splunk.com/t5/Splunk-Search/Stats-for-multiple-fields-in-the-same-table/m-p/632906#M219843 <P>I always knew there'd be a simple way - must play with untable...&nbsp;<span class="lia-unicode-emoji" title=":beaming_face_with_smiling_eyes:">😁</span></P> Thu, 02 Mar 2023 04:45:38 GMT https://community.splunk.com/t5/Splunk-Search/Stats-for-multiple-fields-in-the-same-table/m-p/632906#M219843 bowesmana 2023-03-02T04:45:38Z