Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Add Secondary search variable in primary search

rahulmittal2391
New Member
‎06-25-2024 03:32 AM

rahulmittal2391_0-1719311265868.png

index="ss-stg-dkp" cluster_name="*" AND namespace=dcx AND (label_app="composite-*" ) sourcetype="kube:container:main" | rex \"status\":"(?<Http_code>\d+)" | rex \"evtType\":"\"(?<evt_type>\w+)"\" |search evt_type=REQUEST| stats count(eval(Http_code>0)) as "Totalhits" count(eval(Http_code <500)) as "sR"| append [ search index="ss-stg-dkp" cluster_name="*" AND namespace=dcx AND (label_app="composite-*" ) sourcetype="kube:container:main"| rex field=_raw "Status code:"\s(?<code>\d+) |stats count(eval(code =500)) as error]

 

Hi All I want to add error count in to Totalhits

like eval TotalRequest = error+TotalHits

rahulmittal2391_1-1719311491042.png

It is showing as null value. Please help me to achieve this

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-25-2024 05:10 AM

Try something like this

index="ss-stg-dkp" cluster_name="*" AND namespace=dcx AND (label_app="composite-*" ) sourcetype="kube:container:main" | rex \"status\":"(?<Http_code>\d+)" | rex \"evtType\":"\"(?<evt_type>\w+)"\" | rex field=_raw "Status code:"\s(?<code>\d+) | stats count(eval(Http_code>0 AND evt_type="REQUEST")) as "Totalhits" count(eval(Http_code <500 AND evt_type="REQUEST")) as "sR" count(eval(code =500)) as error
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...