topic Re: Combining two search stats in Splunk Search

Combining two search stats

adityapavan18 — Wed, 19 Oct 2011 11:28:52 GMT

Hi,

I have 2 search queries.

sourcetype="zzz" Accepted | stats count as SuccessCases

sourcetype="zzz" Rejected | stats count as FailureCases

Now i need to find the rqtion of both.How ca i do that.Can anyone help me here

Re: Combining two search stats

Ayn — Wed, 19 Oct 2011 12:07:06 GMT

"rqtion" ?

Re: Combining two search stats

adityapavan18 — Wed, 19 Oct 2011 13:13:23 GMT

sorry i meant ratio of SuccessCases/FailureCases

Re: Combining two search stats

kristian_kolb — Wed, 19 Oct 2011 13:24:58 GMT

Hi,

If Accepted and Rejected are extracted into a field, e.g. zzz_status or something similar, the following search might do the trick.

UPDATED AGAIN AGAIN: If you just want to count the occurence of success/fail, and the events within the log contain the string mentioned in your comment ( <ns:emailaccepted blah> or <ns:emailrejected blah blah> ), the search could be altered into;

sourcetype="zzz" | rex field=_raw "<ns:email(?<zzz_status>[^ ]+)| stats count(eval(zzz_status=="accepted")) AS Success count(eval(zzz_status=="rejected")) AS Fail | eval SuccessRatio=Success/Fail | table Success, Fail, SuccessToFailRatio

The rex statement above will find whatever is between "<ns:email" and the first blank space (" "), and call it zzz_status. Beware though that this would also match on <ns:email-server, <ns:emailaccount, <ns:emailAddress etc etc, so you might want to watch your step there...

hth,

Kristian

Re: Combining two search stats

adityapavan18 — Wed, 19 Oct 2011 13:53:53 GMT

Thanks Kristian.

But now i am stuck with one other problem, when i said Accepted (it is a part of XML tag), can you help how to extract XML tag name

Like my xml's having tags *Accepted are success scenario logs [eg: or ]

so i need to count all events with EmailAccepted in XML's

and then take a ratio

Re: Combining two search stats

kristian_kolb — Wed, 19 Oct 2011 15:14:42 GMT

Could you submit a sample event or two. I believe that rex is the answer to your question.

Re: Combining two search stats

adityapavan18 — Wed, 19 Oct 2011 16:23:57 GMT

textMessage sent:
ns:Response
ns:RID1234/ns:RID
ns:RQIDD201109191/ns:RQID

same way

textMessage sent :
ns:Response
ns:RID1234/ns:RID
ns:RQIDD201109191/ns:RQID

the logging happens where the actual payload starting with <ns:EmailAccepted but that is enclosed under TEXT

success scenarios have EmailAccepted

Re: Combining two search stats

RicoSuave — Wed, 19 Oct 2011 17:13:10 GMT

you can use the xmlkv command to extract those key pairs.