Solved: Combine Status Results into one Row

kartiksha · ‎06-09-2017

source="Test" index=XYZ [search source="Test2" index=XYZ2 Address=.| dedup "attachments{}.uniqueid"|rename "attachments{}.uniqueid" as uniqueid|table uniqueid] |dedup uniqueid status|stats count(status) as Documents by status| eval status = case(status=42, "Entered Network", status=200, "Success Email Sent", status=333, "Processing Started", status=400 OR status=500, "Automatic Extraction", status=600 OR status=800, "Entered Validation", status=3, "Others")|eval sort_field=case(status="Entered Network",1,status="Success Email Sent",2,status="Processing Started",3,status="Automatic Extraction",4,status="Entered Validation",5,status="Others",6) | sort by sort_field|table status, Documents

Everything works except I would like to combine Automatic Extraction into one row:

Status Invoices
Entered Network 46
Success Email Sent 46
Processing Started 44
Automatic Extraction 47
Automatic Extraction 42
Entered Validation 56
Others 44

cmerriman · ‎06-09-2017

you can add a |stats sum(Documents) as Invoices by status at the end. or you could move your |eval status before your stats command.

View solution in original post

cmerriman · ‎06-09-2017

you can add a |stats sum(Documents) as Invoices by status at the end. or you could move your |eval status before your stats command.

kartiksha · ‎06-09-2017

Thanks. That was simple... I feel like an idiot 😉

cmerriman · ‎06-09-2017

you have no idea how easy it is to overlook the simplest things 🙂

kartiksha · ‎06-09-2017

Like --
Status Invoices
Entered Network 46
Success Email Sent 46
Processing Started 44
Automatic Extraction 89
Entered Validation 56
Others 44

Combine Status Results into one Row

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms