Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Count the Error, Info and Warnings

a508184
Explorer
‎12-24-2018 05:39 AM

Am very new to splunk, i need a query to get the count and percentage of Error, Info and Warnings in a table.

Error, Info and Warnings filed is already extracted.

Thanks in advance team.

Thanks,
Nithin Setty

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-24-2018 09:59 AM

Try this:

index = bla source="" Field2=* host=* | stats count as total, count(eval(Field2="INFO")) as Info, count(eval(Field2="WARN")) as Warn, count(eval(Field2="ERROR")) as Error by source host | eval InfoPct=round(Info*100/total),2), WarnPct=round(Warn*100/total,2), ErrorPct=round(Error*100/total,2) | table source host Field2 Info InfoPct Warn WarnPct Error ErrorPct

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-24-2018 09:59 AM

Try this:

index = bla source="" Field2=* host=* | stats count as total, count(eval(Field2="INFO")) as Info, count(eval(Field2="WARN")) as Warn, count(eval(Field2="ERROR")) as Error by source host | eval InfoPct=round(Info*100/total),2), WarnPct=round(Warn*100/total,2), ErrorPct=round(Error*100/total,2) | table source host Field2 Info InfoPct Warn WarnPct Error ErrorPct

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

a508184
Explorer
‎12-26-2018 03:58 AM

Thanks Rich for your help

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-24-2018 06:02 AM

What queries have you tried so far?
Are Error, Info, and Warnings separate fields or possible values of a single field?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

a508184
Explorer
‎12-24-2018 07:22 AM

Thanks for your response Rich.

Same Log is
"12-15 20:22:55,671 ERROR - logs/app/fmapp1 12-15,20:22:32.734 ios55 1-426 0 2 DDC1-4 connect fail XXX:XXX Connection refused (Connection refused)"

"12-15 20:22:55,671 Info- logs/app/fmapp1 12-15,20:22:32.734 ios55 1-426 0 2 DDC1-4 Connected

Currently am using below search.
index = bla source="" Field2= host=* |top 1 Field2 by source, host |rename Field2 as Status, host as HOST

Filed2 is ERROR, INFO or WARN

Output am getting at present is:
source↕ HOST↕ Status↕ count↕ percent↕
app/log.txt ServerName INFO 95 100.000000

Expected Output i need is similar to:
Source↕ HOST↕ Status↕ count↕ percent↕ Status↕ count↕ percent↕ Status↕ count↕ percent↕
app/log.txt ServerName INFO 95 100 Error 0 0 Warn 0 0

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎12-24-2018 06:01 AM

@a508184,
Nithin, are these values of a field Status or do you have fields called Error,Info ,etc with count , for e.g.

Error   Warning Info
12      10      15

Would be nice if you could share some sample events (anonymize confidential data)

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

a508184
Explorer
‎12-24-2018 07:21 AM

Thanks for your response Renjith.

Same Log is
"12-15 20:22:55,671 ERROR - logs/app/fmapp1 12-15,20:22:32.734 ios55 1-426 0 2 DDC1-4 connect fail XXX:XXX Connection refused (Connection refused)"

"12-15 20:22:55,671 Info- logs/app/fmapp1 12-15,20:22:32.734 ios55 1-426 0 2 DDC1-4 Connected

Currently am using below search.
index = bla source="" Field2= host=* |top 1 Field2 by source, host |rename Field2 as Status, host as HOST

Filed2 is ERROR, INFO or WARN

Output am getting at present is:
source↕ HOST↕ Status↕ count↕ percent↕
app/log.txt ServerName INFO 95 100.000000

Expected Output i need is similar to:
Source↕ HOST↕ Status↕ count↕ percent↕ Status↕ count↕ percent↕ Status↕ count↕ percent↕
app/log.txt ServerName INFO 95 100 Error 0 0 Warn 0 0

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...