Solved: how to write query for muliple keyword in stats ?

karthi2809 · ‎06-19-2020

I had four different keyword( job Success msg ) and need to display job name and status.but i am getting counts

index=* cf_app_name="s*" OR cf_app_name=nd* ("All feed is completed" OR "XXX Success: XXX" OR "YYY Success: YYY" OR "Finished handshake success" )
| eval searchString = case(like(_raw, "%All feed is completed%"), "First Job", like(_raw, "%XXX Success: XXX%"), "Second Job", like(_raw, "%YYY Success: YYY%"), "third job",like(_raw, "%Finished handshake success%"), "Fourth job", 1==1, "Incorrect searchString match, please refactor")
| stats count by searchString _time

Actual result:

First job 5

second Job 7

Excpected output:

first job Success
Second job Success

Third job failure

to4kawa · ‎06-20-2020

index=* cf_app_name="s*" OR cf_app_name=nd* ("All feed is completed" OR "XXX Success: XXX" OR "YYY Success: YYY" OR "Finished handshake success" )
| eval searchString = case(like(_raw, "%All feed is completed%"), "First Job", like(_raw, "%XXX Success: XXX%"), "Second Job", like(_raw, "%YYY Success: YYY%"), "third job",like(_raw, "%Finished handshake success%"), "Fourth job", 1==1, "Incorrect searchString match, please refactor")
| stats count by searchString
| append [ makeresults
| eval searchString=split("First Job,Second Job,Third Job,Fourth Job",",")
| mvexpand searchString
| fields - _time]
| stats count(count) as count by searchString
| eval status=if(count>0,"Success","Failure")

View solution in original post

to4kawa · ‎06-20-2020

index=* cf_app_name="s*" OR cf_app_name=nd* ("All feed is completed" OR "XXX Success: XXX" OR "YYY Success: YYY" OR "Finished handshake success" )
| eval searchString = case(like(_raw, "%All feed is completed%"), "First Job", like(_raw, "%XXX Success: XXX%"), "Second Job", like(_raw, "%YYY Success: YYY%"), "third job",like(_raw, "%Finished handshake success%"), "Fourth job", 1==1, "Incorrect searchString match, please refactor")
| stats count by searchString
| append [ makeresults
| eval searchString=split("First Job,Second Job,Third Job,Fourth Job",",")
| mvexpand searchString
| fields - _time]
| stats count(count) as count by searchString
| eval status=if(count>0,"Success","Failure")

karthi2809 · ‎06-20-2020

Thank you lot

The result to be for daily basis

20/6/20

first job Success
Second job Success

Third job Success

19/6/20

first job Success
Second job Success

Third job Success

karthi2809 · ‎06-20-2020

karthi2809 · ‎06-20-2020

Thanks you

Can you please help on how to show the result for daily basis

Expected output:

20/6/20

first job Success
Second job Success

Third job Success

19/6/20

first job Success
Second job Success

Third job Success

18/6/20

first job Success
Second job Success

Third job Success

to4kawa · ‎06-20-2020

index=* cf_app_name="s*" OR cf_app_name=nd* ("All feed is completed" OR "XXX Success: XXX" OR "YYY Success: YYY" OR "Finished handshake success" )
| eval searchString = case(like(_raw, "%All feed is completed%"), "First Job", like(_raw, "%XXX Success: XXX%"), "Second Job", like(_raw, "%YYY Success: YYY%"), "third job",like(_raw, "%Finished handshake success%"), "Fourth job", 1==1, "Incorrect searchString match, please refactor")
| bin span=1d _time
| stats count by _time searchString
| append [ makeresults
| eval searchString=split("First Job,Second Job,Third Job,Fourth Job",",")
| mvexpand searchString
| fields - _time]
| stats count(count) as count by _time searchString
| eval status=if(count>0,"Success","Failure")

how to write query for muliple keyword in stats ?

alert action

alert condition

cron

email

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...