All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Table with foreach search

dkaharlytskyi
Engager
‎01-10-2024 06:45 AM

Hi there, I'm new to Splunk and will be grateful for advice 

I have the following events:

 

 

{
    PROJECT_NAME = project1
    JOB_NAME = jobA
    JOB_RESULT = success
}
{
    PROJECT_NAME = project2
    JOB_NAME = job2
    JOB_RESULT = fail
}

 

 

I need to build the following table:

JOB_NAMETOTAL_SUCCESSTOTAL_FAILS
"for each JOB_NAME in PROJECT_NAME""sum of JOB_RESULT success for JOB_RESULT ""sum of JOB_RESULT fail for JOB_RESULT "
   
   

 

Could you please help with queries for the table? 

Many thanks in advance!

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-10-2024 07:18 AM

Assuming the fields are already extracted, the stats command should do what you want.

| stats count(eval(JOB_RESULT="success")) as TOTAL_SUCCESS,
        count(eval(JOB_RESULT="fail")) as TOTAL_FAILS by PROJECT_NAME, JOB_NAME

 

---
If this reply helps you, Karma would be appreciated.
Reply

dtburrows3
Builder
‎01-10-2024 07:10 AM

I'm not sure If I am completely understanding the ask here but will give it a shot.

So just going off your 2 sample events I think something like this would work. (There is an assumption that the fields "JOB_RESULT", "JOB_NAME", and "PROJECT_NAME" are already extracted and ready to use)

This search is tallying up the success and fails across all jobs grouped into the projects, so each project will have its own row in the final results.

<base_search>
    | stats
        count(eval('JOB_RESULT'=="success")) as TOTAL_SUCCESS,
        count(eval('JOB_RESULT'=="fail")) as TOTAL_FAILS
            by PROJECT_NAME

 Output would look something like this.

dtburrows3_0-1704899258281.png


Or if you need it more granular to see the numbers at the Job level you can use this.

<base_search>
    | stats
        count(eval('JOB_RESULT'=="success")) as TOTAL_SUCCESS,
        count(eval('JOB_RESULT'=="fail")) as TOTAL_FAILS
            by PROJECT_NAME, JOB_NAME

 This will provide you output that each unique combo of PROJECT_NAME/JOB_NAME will have their own row and output would look like this.

dtburrows3_1-1704899362830.png



For reference, here is the SPL used to simulate your problem on my local instance.

| makeresults 
    | eval
        _raw="{
    PROJECT_NAME = project1
    JOB_NAME = jobA
    JOB_RESULT = success
}"

    | append
        [
            | makeresults
                | eval
                    _raw="{
    PROJECT_NAME = project2
    JOB_NAME = job2
    JOB_RESULT = fail
}"
            ]  
    ```
    | extract pairdelim=" " kvdelim="="
    | stats
        count(eval('JOB_RESULT'=="success")) as TOTAL_SUCCESS,
        count(eval('JOB_RESULT'=="fail")) as TOTAL_FAILS
            by PROJECT_NAME
    ```
    | extract pairdelim=" " kvdelim="="
    | stats
        count(eval('JOB_RESULT'=="success")) as TOTAL_SUCCESS,
        count(eval('JOB_RESULT'=="fail")) as TOTAL_FAILS
            by PROJECT_NAME, JOB_NAME
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...