Solved: Count the Error, Info and Warnings

a508184 · ‎12-24-2018

Am very new to splunk, i need a query to get the count and percentage of Error, Info and Warnings in a table.

Error, Info and Warnings filed is already extracted.

Thanks in advance team.

Thanks,
Nithin Setty

richgalloway · ‎12-24-2018

Try this:

index = bla source="" Field2=* host=* | stats count as total, count(eval(Field2="INFO")) as Info, count(eval(Field2="WARN")) as Warn, count(eval(Field2="ERROR")) as Error by source host | eval InfoPct=round(Info*100/total),2), WarnPct=round(Warn*100/total,2), ErrorPct=round(Error*100/total,2) | table source host Field2 Info InfoPct Warn WarnPct Error ErrorPct

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎12-24-2018

Try this:

index = bla source="" Field2=* host=* | stats count as total, count(eval(Field2="INFO")) as Info, count(eval(Field2="WARN")) as Warn, count(eval(Field2="ERROR")) as Error by source host | eval InfoPct=round(Info*100/total),2), WarnPct=round(Warn*100/total,2), ErrorPct=round(Error*100/total,2) | table source host Field2 Info InfoPct Warn WarnPct Error ErrorPct

---
If this reply helps you, Karma would be appreciated.

a508184 · ‎12-26-2018

Thanks Rich for your help

richgalloway · ‎12-24-2018

What queries have you tried so far?
Are Error, Info, and Warnings separate fields or possible values of a single field?

---
If this reply helps you, Karma would be appreciated.

a508184 · ‎12-24-2018

Thanks for your response Rich.

Same Log is
"12-15 20:22:55,671 ERROR - logs/app/fmapp1 12-15,20:22:32.734 ios55 1-426 0 2 DDC1-4 connect fail XXX:XXX Connection refused (Connection refused)"

"12-15 20:22:55,671 Info- logs/app/fmapp1 12-15,20:22:32.734 ios55 1-426 0 2 DDC1-4 Connected

Currently am using below search.
index = bla source="" Field2= host=* |top 1 Field2 by source, host |rename Field2 as Status, host as HOST

Filed2 is ERROR, INFO or WARN

Output am getting at present is:
source↕ HOST↕ Status↕ count↕ percent↕
app/log.txt ServerName INFO 95 100.000000

Expected Output i need is similar to:
Source↕ HOST↕ Status↕ count↕ percent↕ Status↕ count↕ percent↕ Status↕ count↕ percent↕
app/log.txt ServerName INFO 95 100 Error 0 0 Warn 0 0

renjith_nair · ‎12-24-2018

@a508184,
Nithin, are these values of a field Status or do you have fields called Error,Info ,etc with count , for e.g.

Error   Warning Info
12      10      15

Would be nice if you could share some sample events (anonymize confidential data)

---
What goes around comes around. If it helps, hit it with Karma 🙂

a508184 · ‎12-24-2018

Thanks for your response Renjith.

Same Log is
"12-15 20:22:55,671 ERROR - logs/app/fmapp1 12-15,20:22:32.734 ios55 1-426 0 2 DDC1-4 connect fail XXX:XXX Connection refused (Connection refused)"

"12-15 20:22:55,671 Info- logs/app/fmapp1 12-15,20:22:32.734 ios55 1-426 0 2 DDC1-4 Connected

Currently am using below search.
index = bla source="" Field2= host=* |top 1 Field2 by source, host |rename Field2 as Status, host as HOST

Filed2 is ERROR, INFO or WARN

Output am getting at present is:
source↕ HOST↕ Status↕ count↕ percent↕
app/log.txt ServerName INFO 95 100.000000

Expected Output i need is similar to:
Source↕ HOST↕ Status↕ count↕ percent↕ Status↕ count↕ percent↕ Status↕ count↕ percent↕
app/log.txt ServerName INFO 95 100 Error 0 0 Warn 0 0

Count the Error, Info and Warnings

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Join the Conversation

Count the Error, Info and Warnings

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey