Splunk Enterprise

The subtraction of two counts in not working for me

asharmaeqfx
Path Finder

Hi Splunkers,

I have a splunk search query 

index="xyz" source="/var/log/production.log" sourcetype="xyzlogs" type="report" | dedup uuid | stats count(uuid) as TOTAL | append [ search index="xyz" sourcetype=abclogs NOT host="xyte150.com.dmz" "<vv:general-messages>" ("conditions1"  "conditions2" | dedup uuid | stats count(uuid) as FAIL] | eval SUCCESS=TOTAL - FAIL |stats list(TOTAL) as TotalTransactions, values(SUCCESS) as PASSED, list(FAIL) as FAILED | eval Availability=round((PASSED*100)/TotalTransactions,2)

 

I cannot see any value in SUCCESS and due to this no Availability. Somehow the subtraction is not working. My end goal is display a table to show the below

TOTAL PASSED FAIL Availability

 

Can you please suggest why is not working?

Thanks,

Amit

Labels (1)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

There's a small error in the SPL (unbalanced parentheses) but that's not the problem.

Using stats/append will generate two rows, so you cannot do the calculation, as it is looking for both fields in the same row.

Instead you need this

index="xyz" source="/var/log/production.log" sourcetype="xyzlogs" type="report" 
| stats dc(uuid) as TotalTransactions 
| appendcols
    [ search index="xyz" sourcetype=abclogs NOT host="xyte150.com.dmz" "<vv:general-messages>" ("conditions1" "conditions2")
    | stats dc(uuid) as FAILED] 
| eval PASSED=TotalTransactions - FAILED 
| eval Availability=round((PASSED*100)/TotalTransactions,2)

The changes are

  1. You don't need dedup, just use dc() in the stats command 
  2. Use appendcols, which will add the failed column to the same row as the total
  3. You don't need your final stats, as you only have a single row 
  4. The field naming (via stats) is not necessary

Hope this helps

 

View solution in original post

asharmaeqfx
Path Finder

Nailed it!! You are the best

Thanks a ton for your response.

0 Karma

bowesmana
SplunkTrust
SplunkTrust

There's a small error in the SPL (unbalanced parentheses) but that's not the problem.

Using stats/append will generate two rows, so you cannot do the calculation, as it is looking for both fields in the same row.

Instead you need this

index="xyz" source="/var/log/production.log" sourcetype="xyzlogs" type="report" 
| stats dc(uuid) as TotalTransactions 
| appendcols
    [ search index="xyz" sourcetype=abclogs NOT host="xyte150.com.dmz" "<vv:general-messages>" ("conditions1" "conditions2")
    | stats dc(uuid) as FAILED] 
| eval PASSED=TotalTransactions - FAILED 
| eval Availability=round((PASSED*100)/TotalTransactions,2)

The changes are

  1. You don't need dedup, just use dc() in the stats command 
  2. Use appendcols, which will add the failed column to the same row as the total
  3. You don't need your final stats, as you only have a single row 
  4. The field naming (via stats) is not necessary

Hope this helps

 

Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...