Hi Splunkers,
I have a splunk search query
index="xyz" source="/var/log/production.log" sourcetype="xyzlogs" type="report" | dedup uuid | stats count(uuid) as TOTAL | append [ search index="xyz" sourcetype=abclogs NOT host="xyte150.com.dmz" "<vv:general-messages>" ("conditions1" "conditions2" | dedup uuid | stats count(uuid) as FAIL] | eval SUCCESS=TOTAL - FAIL |stats list(TOTAL) as TotalTransactions, values(SUCCESS) as PASSED, list(FAIL) as FAILED | eval Availability=round((PASSED*100)/TotalTransactions,2)
I cannot see any value in SUCCESS and due to this no Availability. Somehow the subtraction is not working. My end goal is display a table to show the below
TOTAL PASSED FAIL Availability
Can you please suggest why is not working?
Thanks,
Amit
There's a small error in the SPL (unbalanced parentheses) but that's not the problem.
Using stats/append will generate two rows, so you cannot do the calculation, as it is looking for both fields in the same row.
Instead you need this
index="xyz" source="/var/log/production.log" sourcetype="xyzlogs" type="report"
| stats dc(uuid) as TotalTransactions
| appendcols
[ search index="xyz" sourcetype=abclogs NOT host="xyte150.com.dmz" "<vv:general-messages>" ("conditions1" "conditions2")
| stats dc(uuid) as FAILED]
| eval PASSED=TotalTransactions - FAILED
| eval Availability=round((PASSED*100)/TotalTransactions,2)The changes are
Hope this helps
Nailed it!! You are the best
Thanks a ton for your response.
There's a small error in the SPL (unbalanced parentheses) but that's not the problem.
Using stats/append will generate two rows, so you cannot do the calculation, as it is looking for both fields in the same row.
Instead you need this
index="xyz" source="/var/log/production.log" sourcetype="xyzlogs" type="report"
| stats dc(uuid) as TotalTransactions
| appendcols
[ search index="xyz" sourcetype=abclogs NOT host="xyte150.com.dmz" "<vv:general-messages>" ("conditions1" "conditions2")
| stats dc(uuid) as FAILED]
| eval PASSED=TotalTransactions - FAILED
| eval Availability=round((PASSED*100)/TotalTransactions,2)The changes are
Hope this helps