Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Add results depending on different fields

BaptVe
Path Finder
‎05-02-2016 02:24 AM

Hello,

I'm looking to add the results of a count from different fields in one for a table: 

 index=XXXX sourcetype="XXXXXX" type=ERROR errorType="*" OR errorType2="*" OR NPE="*" | stats count by errorType

When I run this search, I only get the stats count for the errorType, but I'd like to add the count for errorType2 and NPE and make a table with all of these results.

The table should looks like this: 

Name of Error          Count

navigation.Error       7896  
navigation.ErrorMenu   1780  
operation.Error        177  
validation.Error       96

where, for example, navigation comes from errorType, operation comes errorType2, ...

Thanks for your help!

0 Karma
Reply

BaptVe
Path Finder
‎05-09-2016 12:28 AM

Hello,

Thanks for you help everyone, i didn't try your queries because i start looking on another way to do the job :
I had trouble at the beginning with my logs (they were very different) so i create multiple field to match them all and tried to coalesce them all.

But finally i found a way to create better field and make my errorType & errorType2 match in one field !
I had to work a little bit on the ReGex and delete the old field i create so i can't try your queries !

I apologize for the loss of time and thanks you all for your help,
Maybe this queries will be useful for someone else !

0 Karma
Reply

somesoni2
Revered Legend
‎05-02-2016 07:03 AM

Another simple option would be to use coalesce command

index=XXXX sourcetype="XXXXXX" type=ERROR errorType="*" OR errorType2="*" OR NPE="*" | eval errorType=coalesce(errorType, errorType2, NPE)| stats count by errorType

http://docs.splunk.com/Documentation/Splunk/6.4.0/SearchReference/CommonEvalFunctions

Reply

woodcock
Esteemed Legend
‎05-02-2016 06:09 AM

If mutually-exclusive, like this:

index=XXXX sourcetype="XXXXXX" type=ERROR errorType="*" OR errorType2="*" OR NPE="*" | eval errorType = case(
   isnotnull(errorType), "errorType",
   isnotnull(errorType2), "errorType2",
   isnotnull(NPE), "NPE",
   true(), "ERROR!")
| stats count AS "Name of Error" BY errorType

Otherwise, like this:

index=XXXX sourcetype="XXXXXX" type=ERROR errorType="*" OR errorType2="*" OR NPE="*" | fillnull value="NULL" errorType errorType2 NPE | stats count AS "Name of Error" BY errorType errorType2 NPE

The other answers skip fillnull and without this, you will drop events (try it and you will see).

Reply

woodcock
Esteemed Legend
‎05-02-2016 07:25 AM

Actually, the first option should be this:

index=XXXX sourcetype="XXXXXX" type=ERROR errorType="*" OR errorType2="*" OR NPE="*" | eval errorType=coalesce(errorType, errorType2, NPE) | stats count AS "Name of Error" BY errorType
0 Karma
Reply

BaptVe
Path Finder
‎05-02-2016 03:28 AM 
index=XXXX sourcetype="XXXXXX" type=ERROR errorType="*" OR errorType2="*" OR NPE="*" | rename errorType2 AS errorType | rename NPE AS errorType | stats count by errorType

==> Only keep the results of NPE.

And others solution you give me didnt work :
They only keep a part of the results !

Perhpas should i search with append / join / appendcols / ...

Still searching for an answer, thanks for your help !

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎05-02-2016 02:51 AM

Or this:

   index=XXXX sourcetype="XXXXXX" type=ERROR errorType="*" OR errorType2="*" OR NPE="*" | rename errorType2 AS errorType NPE AS errorType | stats count by errorType | rename errorType AS "Name of Error"
Reply

NOUMSSI
Builder
‎05-02-2016 02:37 AM

Hi,
try this:

index=XXXX sourcetype="XXXXXX" type=ERROR errorType="*" OR errorType2="*" OR NPE="*" | stats count by errorType, errorType2, NPE
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...