Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Count the Error, Info and Warnings

a508184
Explorer
‎12-24-2018 05:39 AM

Am very new to splunk, i need a query to get the count and percentage of Error, Info and Warnings in a table.

Error, Info and Warnings filed is already extracted.

Thanks in advance team.

Thanks,
Nithin Setty

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-24-2018 09:59 AM

Try this:

index = bla source="" Field2=* host=* | stats count as total, count(eval(Field2="INFO")) as Info, count(eval(Field2="WARN")) as Warn, count(eval(Field2="ERROR")) as Error by source host | eval InfoPct=round(Info*100/total),2), WarnPct=round(Warn*100/total,2), ErrorPct=round(Error*100/total,2) | table source host Field2 Info InfoPct Warn WarnPct Error ErrorPct

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-24-2018 09:59 AM

Try this:

index = bla source="" Field2=* host=* | stats count as total, count(eval(Field2="INFO")) as Info, count(eval(Field2="WARN")) as Warn, count(eval(Field2="ERROR")) as Error by source host | eval InfoPct=round(Info*100/total),2), WarnPct=round(Warn*100/total,2), ErrorPct=round(Error*100/total,2) | table source host Field2 Info InfoPct Warn WarnPct Error ErrorPct

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

a508184
Explorer
‎12-26-2018 03:58 AM

Thanks Rich for your help

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-24-2018 06:02 AM

What queries have you tried so far?
Are Error, Info, and Warnings separate fields or possible values of a single field?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

a508184
Explorer
‎12-24-2018 07:22 AM

Thanks for your response Rich.

Same Log is
"12-15 20:22:55,671 ERROR - logs/app/fmapp1 12-15,20:22:32.734 ios55 1-426 0 2 DDC1-4 connect fail XXX:XXX Connection refused (Connection refused)"

"12-15 20:22:55,671 Info- logs/app/fmapp1 12-15,20:22:32.734 ios55 1-426 0 2 DDC1-4 Connected

Currently am using below search.
index = bla source="" Field2= host=* |top 1 Field2 by source, host |rename Field2 as Status, host as HOST

Filed2 is ERROR, INFO or WARN

Output am getting at present is:
source↕ HOST↕ Status↕ count↕ percent↕
app/log.txt ServerName INFO 95 100.000000

Expected Output i need is similar to:
Source↕ HOST↕ Status↕ count↕ percent↕ Status↕ count↕ percent↕ Status↕ count↕ percent↕
app/log.txt ServerName INFO 95 100 Error 0 0 Warn 0 0

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎12-24-2018 06:01 AM

@a508184,
Nithin, are these values of a field Status or do you have fields called Error,Info ,etc with count , for e.g.

Error   Warning Info
12      10      15

Would be nice if you could share some sample events (anonymize confidential data)

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

a508184
Explorer
‎12-24-2018 07:21 AM

Thanks for your response Renjith.

Same Log is
"12-15 20:22:55,671 ERROR - logs/app/fmapp1 12-15,20:22:32.734 ios55 1-426 0 2 DDC1-4 connect fail XXX:XXX Connection refused (Connection refused)"

"12-15 20:22:55,671 Info- logs/app/fmapp1 12-15,20:22:32.734 ios55 1-426 0 2 DDC1-4 Connected

Currently am using below search.
index = bla source="" Field2= host=* |top 1 Field2 by source, host |rename Field2 as Status, host as HOST

Filed2 is ERROR, INFO or WARN

Output am getting at present is:
source↕ HOST↕ Status↕ count↕ percent↕
app/log.txt ServerName INFO 95 100.000000

Expected Output i need is similar to:
Source↕ HOST↕ Status↕ count↕ percent↕ Status↕ count↕ percent↕ Status↕ count↕ percent↕
app/log.txt ServerName INFO 95 100 Error 0 0 Warn 0 0

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...