https://community.splunk.com/t5/Splunk-Search/splunk-search-giving-same-results-in-table/m-p/317988#M95142 <P>Hello, leomedina</P> <P>It looks that you should correct stats statement because now you count the same in first search and after append </P> <P>1.<CODE>index=datapower ApplicationName="mpgw(OAuth-subscription)" "HTTP response code"<BR /> ...<BR /> | stats count as Success by ApplicationName</CODE></P> <P>2.<CODE>[search index=datapower ApplicationName="mpgw(OAuth-subscription)" "HTTP response code" <BR /> | stats count as Errors by ApplicationName]</CODE> </P> <P>but rename in different ways Success and Errors</P> <P>May be you should try something like this to specify some way in first case only success and in second only errors</P> <PRE><CODE> index=datapower ApplicationName="mpgw(OAuth-subscription)" "HTTP response code" | lookup http_response_codes.csv response_code OUTPUT description | search description="*success*" | stats count as Success by ApplicationName | append [search index=datapower ApplicationName="mpgw(OAuth-subscription)" "HTTP response code" | lookup http_response_codes.csv response_code OUTPUT description | search description="*error*" | stats count as Errors by ApplicationName] </CODE></PRE> Tue, 11 Apr 2017 07:35:51 GMT andrey2007 2017-04-11T07:35:51Z https://community.splunk.com/t5/Splunk-Search/splunk-search-giving-same-results-in-table/m-p/317987#M95141 <P>Hello,</P> <P>The below search is producing the same data for success and errors... </P> <PRE><CODE>index=datapower ApplicationName="mpgw(OAuth-subscription)" "HTTP response code" | lookup http_response_codes.csv response_code OUTPUT description | stats count as Success by ApplicationName | append [search index=datapower ApplicationName="mpgw(OAuth-subscription)" "HTTP response code" | stats count as Errors by ApplicationName] | stats values(Success) as Success, values(Errors) as Errors by ApplicationName </CODE></PRE> <P>1) How can I make this query output the data where it needs? Do I need to create multiple lookups (one for successful and one for errors)? My http_response_codes.csv has a ton of response codes. If so, how would that search look like? Greatly appreciate the help.</P> Tue, 29 Sep 2020 13:36:01 GMT https://community.splunk.com/t5/Splunk-Search/splunk-search-giving-same-results-in-table/m-p/317987#M95141 leomedina 2020-09-29T13:36:01Z https://community.splunk.com/t5/Splunk-Search/splunk-search-giving-same-results-in-table/m-p/317988#M95142 <P>Hello, leomedina</P> <P>It looks that you should correct stats statement because now you count the same in first search and after append </P> <P>1.<CODE>index=datapower ApplicationName="mpgw(OAuth-subscription)" "HTTP response code"<BR /> ...<BR /> | stats count as Success by ApplicationName</CODE></P> <P>2.<CODE>[search index=datapower ApplicationName="mpgw(OAuth-subscription)" "HTTP response code" <BR /> | stats count as Errors by ApplicationName]</CODE> </P> <P>but rename in different ways Success and Errors</P> <P>May be you should try something like this to specify some way in first case only success and in second only errors</P> <PRE><CODE> index=datapower ApplicationName="mpgw(OAuth-subscription)" "HTTP response code" | lookup http_response_codes.csv response_code OUTPUT description | search description="*success*" | stats count as Success by ApplicationName | append [search index=datapower ApplicationName="mpgw(OAuth-subscription)" "HTTP response code" | lookup http_response_codes.csv response_code OUTPUT description | search description="*error*" | stats count as Errors by ApplicationName] </CODE></PRE> Tue, 11 Apr 2017 07:35:51 GMT https://community.splunk.com/t5/Splunk-Search/splunk-search-giving-same-results-in-table/m-p/317988#M95142 andrey2007 2017-04-11T07:35:51Z https://community.splunk.com/t5/Splunk-Search/splunk-search-giving-same-results-in-table/m-p/317989#M95143 <P>Try this:</P> <PRE><CODE> index=datapower ApplicationName="mpgw(OAuth-subscription)" "HTTP response code" | lookup http_response_codes.csv response_code OUTPUT description | stats count(eval(match(description, "success"))) AS Success count(eval(match(description, "error"))) AS Errors BY ApplicationName </CODE></PRE> Tue, 11 Apr 2017 14:23:14 GMT https://community.splunk.com/t5/Splunk-Search/splunk-search-giving-same-results-in-table/m-p/317989#M95143 woodcock 2017-04-11T14:23:14Z https://community.splunk.com/t5/Splunk-Search/splunk-search-giving-same-results-in-table/m-p/317990#M95144 <P>Thank you Mr. Woodcock!</P> <P>I made some minor modifications on my end but your guidance led me there. I ended up creating a new lookup csv with the status of success or fail in a separate column next to the http codes and was then able to use the above query.</P> <P>Thanks again!</P> Tue, 11 Apr 2017 16:11:42 GMT https://community.splunk.com/t5/Splunk-Search/splunk-search-giving-same-results-in-table/m-p/317990#M95144 leomedina 2017-04-11T16:11:42Z https://community.splunk.com/t5/Splunk-Search/splunk-search-giving-same-results-in-table/m-p/317991#M95145 <P>Be sure to <CODE>Upvote</CODE> any helpful answers and click <CODE>Accept</CODE> on the best one to close the Question and let others know what worked.</P> Tue, 11 Apr 2017 18:31:56 GMT https://community.splunk.com/t5/Splunk-Search/splunk-search-giving-same-results-in-table/m-p/317991#M95145 woodcock 2017-04-11T18:31:56Z