Splunk IT Service Intelligence

need to differentiate two columns and display the different values

New Member

Hi team,

message_id status time

2020-02-12T12:22:23.415248Z ERROR 2020-02-14T00:01:14.038498814Z
2020-02-12T12:22:23.415248Z ERROR 2020-02-14T00:00:34.034346477Z
2020-02-12T12:22:23.415248Z ERROR 2020-02-13T23:59:53.851851061Z
2020-02-12T12:22:23.415248Z ERROR 2020-02-13T23:57:12.663621081Z
2020-02-12T12:22:23.415248Z ERROR 2020-02-13T23:53:51.293506747Z
2020-01-21T13:09:14.416164Z PROCESSED 2020-02-19T01:50:05.55630875Z
2020-01-21T13:09:14.416164Z PROCESSING 2020-02-19T01:50:04.621606854Z
2020-01-21T13:09:44.586501Z ERROR 2020-02-19T01:50:04.305742277Z
2020-01-21T13:09:44.586501Z PROCESSING 2020-02-19T01:50:04.233225192Z
2020-01-21T13:09:44.586416Z PROCESSED 2020-02-19T01:50:04.142651435Z
2020-01-21T13:09:44.586416Z PROCESSING 2020-02-19T01:50:03.826457927Z
2020-01-21T13:09:44.586321Z PROCESSED 2020-02-19T01:50:03.745964666Z
2020-01-21T13:09:44.586321Z PROCESSING 2020-02-19T01:50:03.449583679Z
2020-01-21T13:09:44.586190Z PROCESSED 2020-02-19T01:50:03.337887858Z
2020-01-21T13:09:44.586190Z PROCESSING 2020-02-19T01:50:03.086329734Z
2020-01-21T13:09:44.586063Z PROCESSED 2020-02-19T01:50:03.00531639Z
2020-01-21T13:09:44.586063Z PROCESSING 2020-02-19T01:50:02.735821778Z
2020-01-21T13:09:44.585532Z PROCESSED 2020-02-19T01:50:02.677935722Z
2020-01-21T13:09:44.585532Z PROCESSING 2020-02-19T01:50:02.379874913Z
2020-01-21T13:09:44.585456Z PROCESSED 2020-02-19T01:50:02.320574471Z
2020-01-21T13:09:44.585456Z PROCESSING 2020-02-19T01:50:02.056969718Z
2020-01-21T13:09:44.585379Z PROCESSED 2020-02-19T01:50:01.993389933Z
2020-01-21T13:09:44.585379Z PROCESSING 2020-02-19T01:50:01.645723986Z
2020-01-21T13:09:44.585301Z PROCESSED 2020-02-19T01:50:01.573655793Z
2020-01-21T13:09:44.585301Z PROCESSING 2020-02-19T01:50:01.319969304Z
2020-01-21T13:09:44.585220Z PROCESSED 2020-02-19T01:50:01.256761569Z
2020-01-21T13:09:44.585220Z PROCESSING 2020-02-19T01:50:00.980754532Z
2020-01-21T13:09:44.585132Z PROCESSED 2020-02-19T01:50:00.920435406Z
2020-01-21T13:09:44.583423Z PROCESSING 2020-02-19T01:49:54.709364124Z
2020-01-21T13:09:44.583342Z PROCESSED 2020-02-19T01:49:54.627564396Z
2020-01-21T13:09:44.583342Z PROCESSING 2020-02-19T01:49:54.379127471Z
2020-01-21T13:09:44.583255Z PROCESSED 2020-02-19T01:49:54.319034068Z
2020-01-21T13:09:44.583255Z PROCESSING 2020-02-19T01:49:54.028230252Z
2020-01-21T13:09:44.583171Z PROCESSED 2020-02-19T01:49:53.942640218Z
2020-01-21T13:09:44.583171Z PROCESSING 2020-02-19T01:49:53.689197493Z
2020-01-21T13:09:44.583085Z PROCESSED 2020-02-19T01:49:53.627728985Z
2020-01-21T13:09:44.583085Z PROCESSING 2020-02-19T01:49:53.389097603Z
2020-01-21T13:09:44.582989Z PROCESSED 2020-02-19T01:49:53.332868523Z
2020-01-21T13:09:44.582989Z PROCESSING 2020-02-19T01:49:53.085943873Z
2020-01-21T13:09:44.582905Z PROCESSED 2020-02-19T01:49:53.027980939Z
2020-01-21T13:09:44.582905Z PROCESSING 2020-02-19T01:49:52.757156504Z
2020-01-21T13:09:44.582821Z PROCESSED 2020-02-19T01:49:52.697941959Z
2020-01-21T13:09:44.582821Z PROCESSING 2020-02-19T01:49:52.463730556Z
2020-01-21T13:09:44.582727Z PROCESSED 2020-02-19T01:49:52.410138972Z
2020-01-21T13:09:44.582727Z PROCESSING 2020-02-19T01:49:52.169536808Z
2020-01-21T13:09:44.582639Z PROCESSED 2020-02-19T01:49:52.107720449Z
2020-01-21T13:09:44.582639Z PROCESSING 2020-02-19T01:49:51.84715461Z
2020-01-21T13:09:44.582555Z PROCESSED 2020-02-19T01:49:51.777011069Z
2020-01-21T13:09:44.582555Z PROCESSING 2020-02-19T01:49:51.488824085Z
2020-01-21T13:09:44.582467Z PROCESSED 2020-02-19T01:49:51.414304108Z
2020-01-21T13:09:44.582467Z PROCESSING 2020-02-19T01:49:51.146699571Z
2020-01-21T13:09:44.582370Z PROCESSED 2020-02-19T01:49:51.07314806Z
2020-01-21T13:09:44.582370Z PROCESSING 2020-02-19T01:49:50.803455506Z
2020-01-21T13:09:44.582288Z PROCESSED 2020-02-19T01:49:50.68563427Z
2020-01-21T13:09:44.582288Z PROCESSING 2020-02-19T01:49:50.418044177Z
2020-01-21T13:09:44.582211Z PROCESSED 2020-02-19T01:49:50.34967605Z

I had three columns message_id, status, time and I want to print the 'message_ids' which are YetToBeProcessed

YetToBeProcessed = ERROR+PROCESSED-PROCESSING

Example: Error appeared in 50 times and corresponding message_id's
Processed apperared 200 times and corresponding message_id's
Procesing appeared 100 times and corresponding message_id's

Note:
error, processing message_id's might be same
Processed,Processing message_id's might be same
But error, processed should not be same.

Thanks,
Yamuna

Labels (2)
0 Karma

SplunkTrust
SplunkTrust
your search
|stats count(eval(status="ERROR")) as ERROR, count(eval(status="PROCESSED")) as PROCESSED, count(eval(status="PROCESSING")) as PROCESSING by message_id
|eval YetToBeProcessed = ERROR+PROCESSED-PROCESSING

Hi, how about this?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!