Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

organizing multiple responses

jsmith39
Path Finder
‎01-27-2014 10:41 AM

How do you query an application log for multiple event codes and then organize them in a report based on what codes were seen?

I'm searching 40+ server application logs for backup exec codes and based upon success (34112 or 57755) or failure (34113 or 34114) Output the count to either a success or failure column organized by host name.

I know a way (though probably not the best way) to do either a success or failure, but not how to combine.

What I've got so far is
sourcetype="WMI:WinEventLog:Application" EventCode=57755 OR 34112 | stats count by tag, host | rename count as Success

It works, but is only looking for instances when thing went correctly.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dglinder
Path Finder
‎01-27-2014 11:07 AM

Can you use the eval command to set a new Success/Failure field?

sourcetype="WMI:WinEventLog:Application" EventCode=57755 OR EventCode=34112 OR EventCode=34113 OR EventCode=34114 | eval Outcome=case(EventCode==57755 OR EventCode==34112, "Success", EventCode==34113 OR EventCode==34114, "Failure") | search Outcome="Success" | stats count by host, Outcome

(Edit: minor fixes to the EventCode search and eval portions.)

View solution in original post

Reply
Solved! Jump to solution

jsmith39
Path Finder
‎01-27-2014 11:13 AM

Thank you very much!
Both of those queries worked perfectly if differently.

0 Karma
Reply
Solved! Jump to solution
Solution

dglinder
Path Finder
‎01-27-2014 11:07 AM

Can you use the eval command to set a new Success/Failure field?

sourcetype="WMI:WinEventLog:Application" EventCode=57755 OR EventCode=34112 OR EventCode=34113 OR EventCode=34114 | eval Outcome=case(EventCode==57755 OR EventCode==34112, "Success", EventCode==34113 OR EventCode==34114, "Failure") | search Outcome="Success" | stats count by host, Outcome

(Edit: minor fixes to the EventCode search and eval portions.)

Reply
Solved! Jump to solution

dglinder
Path Finder
‎01-27-2014 11:25 AM

Thanks lukejadamec - I've update the example.

Reply
Solved! Jump to solution

lukejadamec
Super Champion
‎01-27-2014 10:59 AM

You can append the failure code data:

sourcetype="WMI:WinEventLog:Application" EventCode=57755 OR EventCode=34112 | stats count by tag, host | rename count as Success |append [search index=main sourcetype="WMI:WinEventLog:Application" EventCode=34113 OR EventCode=34114| stats count by tag, host | rename count as Failure]

Reply
Solved! Jump to solution

dglinder
Path Finder
‎01-27-2014 11:27 AM

I don't use sub-searches so I always forget their usefulness.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...