Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to refine this query

avii7326
New Member
‎05-08-2024 07:46 AM

How should I refine this query so that I can get every fields in one table without using join or append or any other sub search.

(index=whcrm OR index=whcrm_int)sourcetype="bmw-sl-gcdm-int-api" ("Sending POST consents to *" OR "Create / Update Consents done" OR "Error in sync-consent-dataFlow:*")

| stats count(eval(match(_raw, "Sending POST consents to *"))) as Total,

        count(eval(match(_raw, "Create / Update Consents done"))) as Success,

        count(eval(match(_raw, "Error in sync-consent-dataFlow:*"))) as Error

| eval ErrorRate = round((Error / TotalReceived) * 100, 2)

| table Total, Success, Error, ErrorRate

| append

    [ search (index=whcrm OR index=whcrm_int) (sourcetype="bmw-sl-gcdm-int-api" ("Sending POST consents to *" OR "Create / Update Consents done" OR "Error in sync-consent-dataFlow:*"))

     | rex field=message ": (?<json>\{[\w\W]*\})$"

    | rename properties.correlationId as correlationId

| rename properties.gcid as GCID

| rename properties.gcid as errorcode

    | rename properties.entity as entity

    | rename properties.country as country

    | rename properties.targetSystem as target_system

    | table correlationId GCID errorcode entity country target_system

    ]
Labels (1)
Labels
Tags (1)
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎05-13-2024 06:45 AM

Hi @avi7326,

Please try below query;

(index=whcrm OR index=whcrm_int) sourcetype="bmw-sl-gcdm-int-api" ("Sending POST consents to *" OR "Create / Update Consents done" OR "Error in sync-consent-dataFlow:*") 
| eval Total= if(match(_raw, "Sending POST consents to *"),1,0) 
| eval Success= if(match(_raw, "Create / Update Consents done"),1,0) 
| eval Error= if(match(_raw, "Error in sync-consent-dataFlow:*"),1,0) 
| rex field=message ": (?<json>\{[\w\W]*\})$" 
| rename properties.correlationId as correlationId 
| rename properties.gcid as GCID 
| rename properties.gcid as errorcode 
| rename properties.entity as entity 
| rename properties.country as country 
| rename properties.targetSystem as target_system 
| stats sum(Total) as Total sum(Success) as Success sum(Error) as Error by correlationId GCID errorcode entity country target_system 
| eval ErrorRate = round((Error / Total) * 100, 2)

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-08-2024 09:09 AM

Hi @avii7326,

sorry but I don't understand the purpose of this search:

you have the same search in the first part, with results aggregated using statsm so in one row you have three values Total Success and Error.

Then in the append search, using the same search, you have many events listed with the table command.

And there isn't any correlation between the two parts of the search.

What's the output that you would have?

Ciao.

Giuseppe

0 Karma
Reply

avi7326
Path Finder
‎05-13-2024 06:13 AM

Hi @gcusello 

Can you please help me on this as I have explained my requirement, as it is bit urgent for me.


Thanks

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-13-2024 07:30 AM

Hi @avi7326 ,

as I said, there's no sense to put in the same panel a result from a stats search and a table .

use your searches in two different panels.

Ciao.

Giuseppe

0 Karma
Reply

avi7326
Path Finder
‎05-10-2024 07:33 AM

Using these two searches because I want to extract some fields using that regular expression for that only I am appending it. I want help in this only so that I don't repeat this search two times and have one query in table with fields - total ,success, error, correlationid, GCID etc.

Or If I am using wrong query you can suggest me how to proceed -
I have that logs and have to count those logs for total ,success and error and these fields will be used if there will be any error to show the details of that error this GCID correlationId will be required. Please guide how can I proceed.

Thanks in Advance

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...