topic Re: Add results depending on different fields in Splunk Search

Add results depending on different fields

BaptVe — Mon, 02 May 2016 09:24:10 GMT

Hello,

I'm looking to add the results of a count from different fields in one for a table:

 index=XXXX sourcetype="XXXXXX" type=ERROR errorType="*" OR errorType2="*" OR NPE="*" | stats count by errorType

When I run this search, I only get the stats count for the errorType, but I'd like to add the count for errorType2 and NPE and make a table with all of these results.

The table should looks like this:

Name of Error          Count

navigation.Error       7896  
navigation.ErrorMenu   1780  
operation.Error        177  
validation.Error       96

where, for example, navigation comes from errorType, operation comes errorType2, ...

Thanks for your help!

Re: Add results depending on different fields

NOUMSSI — Mon, 02 May 2016 09:37:52 GMT

Hi,
try this:

index=XXXX sourcetype="XXXXXX" type=ERROR errorType="*" OR errorType2="*" OR NPE="*" | stats count by errorType, errorType2, NPE

Re: Add results depending on different fields

jkat54 — Mon, 02 May 2016 09:51:40 GMT

Or this:

   index=XXXX sourcetype="XXXXXX" type=ERROR errorType="*" OR errorType2="*" OR NPE="*" | rename errorType2 AS errorType NPE AS errorType | stats count by errorType | rename errorType AS "Name of Error"

Re: Add results depending on different fields

BaptVe — Mon, 02 May 2016 10:28:00 GMT

index=XXXX sourcetype="XXXXXX" type=ERROR errorType="*" OR errorType2="*" OR NPE="*" | rename errorType2 AS errorType | rename NPE AS errorType | stats count by errorType

==> Only keep the results of NPE.

And others solution you give me didnt work :
They only keep a part of the results !

Perhpas should i search with append / join / appendcols / ...

Still searching for an answer, thanks for your help !

Re: Add results depending on different fields

woodcock — Mon, 02 May 2016 13:09:57 GMT

If mutually-exclusive, like this:

index=XXXX sourcetype="XXXXXX" type=ERROR errorType="*" OR errorType2="*" OR NPE="*" | eval errorType = case(
   isnotnull(errorType), "errorType",
   isnotnull(errorType2), "errorType2",
   isnotnull(NPE), "NPE",
   true(), "ERROR!")
| stats count AS "Name of Error" BY errorType

Otherwise, like this:

index=XXXX sourcetype="XXXXXX" type=ERROR errorType="*" OR errorType2="*" OR NPE="*" | fillnull value="NULL" errorType errorType2 NPE | stats count AS "Name of Error" BY errorType errorType2 NPE

The other answers skip fillnull and without this, you will drop events (try it and you will see).

Re: Add results depending on different fields

somesoni2 — Mon, 02 May 2016 14:03:56 GMT

Another simple option would be to use coalesce command

index=XXXX sourcetype="XXXXXX" type=ERROR errorType="*" OR errorType2="*" OR NPE="*" | eval errorType=coalesce(errorType, errorType2, NPE)| stats count by errorType

http://docs.splunk.com/Documentation/Splunk/6.4.0/SearchReference/CommonEvalFunctions

Re: Add results depending on different fields

woodcock — Mon, 02 May 2016 14:25:10 GMT

Actually, the first option should be this:

index=XXXX sourcetype="XXXXXX" type=ERROR errorType="*" OR errorType2="*" OR NPE="*" | eval errorType=coalesce(errorType, errorType2, NPE) | stats count AS "Name of Error" BY errorType

Re: Add results depending on different fields

BaptVe — Mon, 09 May 2016 07:28:39 GMT

Hello,

Thanks for you help everyone, i didn't try your queries because i start looking on another way to do the job :
I had trouble at the beginning with my logs (they were very different) so i create multiple field to match them all and tried to coalesce them all.

But finally i found a way to create better field and make my errorType & errorType2 match in one field !
I had to work a little bit on the ReGex and delete the old field i create so i can't try your queries !

I apologize for the loss of time and thanks you all for your help,
Maybe this queries will be useful for someone else !