Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

organizing multiple responses

jsmith39
Path Finder
‎01-27-2014 10:41 AM

How do you query an application log for multiple event codes and then organize them in a report based on what codes were seen?

I'm searching 40+ server application logs for backup exec codes and based upon success (34112 or 57755) or failure (34113 or 34114) Output the count to either a success or failure column organized by host name.

I know a way (though probably not the best way) to do either a success or failure, but not how to combine.

What I've got so far is
sourcetype="WMI:WinEventLog:Application" EventCode=57755 OR 34112 | stats count by tag, host | rename count as Success

It works, but is only looking for instances when thing went correctly.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dglinder
Path Finder
‎01-27-2014 11:07 AM

Can you use the eval command to set a new Success/Failure field?

sourcetype="WMI:WinEventLog:Application" EventCode=57755 OR EventCode=34112 OR EventCode=34113 OR EventCode=34114 | eval Outcome=case(EventCode==57755 OR EventCode==34112, "Success", EventCode==34113 OR EventCode==34114, "Failure") | search Outcome="Success" | stats count by host, Outcome

(Edit: minor fixes to the EventCode search and eval portions.)

View solution in original post

Reply
Solved! Jump to solution

jsmith39
Path Finder
‎01-27-2014 11:13 AM

Thank you very much!
Both of those queries worked perfectly if differently.

0 Karma
Reply
Solved! Jump to solution
Solution

dglinder
Path Finder
‎01-27-2014 11:07 AM

Can you use the eval command to set a new Success/Failure field?

sourcetype="WMI:WinEventLog:Application" EventCode=57755 OR EventCode=34112 OR EventCode=34113 OR EventCode=34114 | eval Outcome=case(EventCode==57755 OR EventCode==34112, "Success", EventCode==34113 OR EventCode==34114, "Failure") | search Outcome="Success" | stats count by host, Outcome

(Edit: minor fixes to the EventCode search and eval portions.)

Reply
Solved! Jump to solution

dglinder
Path Finder
‎01-27-2014 11:25 AM

Thanks lukejadamec - I've update the example.

Reply
Solved! Jump to solution

lukejadamec
Super Champion
‎01-27-2014 10:59 AM

You can append the failure code data:

sourcetype="WMI:WinEventLog:Application" EventCode=57755 OR EventCode=34112 | stats count by tag, host | rename count as Success |append [search index=main sourcetype="WMI:WinEventLog:Application" EventCode=34113 OR EventCode=34114| stats count by tag, host | rename count as Failure]

Reply
Solved! Jump to solution

dglinder
Path Finder
‎01-27-2014 11:27 AM

I don't use sub-searches so I always forget their usefulness.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...