Solved: Re: How to correlate across events, then aggregate...

toehser1 · ‎08-26-2019

Something like,

DEBUG traceid=123 user=john
DEBUG traceid=123 result=200
DEBUG traceid=456 user=john
DEBUG traceid=456 result=400
DEBUG traceid=789 user=sue
DEBUG traceid=789 result=200
DEBUG traceid=abc user=john
DEBUG traceid=abc result=200

I want to get:
John success 2 failure 1
sue success 1 failure 0

masonmorales · ‎08-26-2019

Try this:

| stats values(user) as user, values(result) as result by traceid
| stats count(result="200") as "success", count(result!="200") as "failure" by user

View solution in original post

masonmorales · ‎08-26-2019

Try this:

| stats values(user) as user, values(result) as result by traceid
| stats count(result="200") as "success", count(result!="200") as "failure" by user

How to correlate across events, then aggregate by a different event?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life