Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- After calculations in a search, why am I unable to...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After calculations in a search, why am I unable to display results using the table command?
chrisboy68
Contributor
02-15-2016
01:54 PM
Hi,
This search below is working great....
index=logs AND (sourcetype=eMetrics) | JOIN type=outer OrderNumber [ search index=logs AND LogLevel=ERROR AND ErrorType="BAD_ORDER" ]
| stats count(eval(Name!="SUCCESS")) as bad_orders, count(eval(Name=="SUCCESS")) as good_orders | eval percent_bad=100*bad_orders/good_orders | where percent_bad > 30
However, adding the table command does not work.
index=logs AND (sourcetype=eMetrics) | JOIN type=outer OrderNumber [ search index=logs AND LogLevel=ERROR AND ErrorType="BAD_ORDER" ]
| stats count(eval(Name!="SUCCESS")) as bad_orders, count(eval(Name=="SUCCESS")) as good_orders | eval percent_bad=100*bad_orders/good_orders | where percent_bad > 30 | table OrderNumber, ErrorMessage
Any ideas? I'm trying to use this as an alert and it will display a table of bad_orders with a few Event fields.
Thank you!
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
chimell
Motivator
02-16-2016
12:54 AM
Hi
Try with
..................|fields OrderNumber ErrorMessage
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
02-15-2016
03:22 PM
Your stats command is limiting the fields to only the bad_orders and good_orders. The field that you want to show are not available there.
If you can add some sample events and/or describe fields available in both your sources, we can probably suggest you better options (then join).
You can give this a try (just for fun)
index=logs (sourcetype=eMetrics) OR (LogLevel=ERROR AND ErrorType="BAD_ORDER" ) | stats values(Name) as Name, values(ErrorMessage) as ErrorMessage by OrderNumber | eventstats count(eval(Name!="SUCCESS")) as bad_orders, count(eval(Name=="SUCCESS")) as good_orders | eval percent_bad=100*bad_orders/good_orders | where percent_bad > 30 | table OrderNumber, ErrorMessage
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
chimell
Motivator
02-16-2016
12:35 AM
hi
in your query i can not see ErrorMessage field where it is?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
02-16-2016
05:25 AM
Its the second field in the stats.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
chrisboy68
Contributor
02-16-2016
06:43 AM
Thanks for your response. Ok, so I got rid of the Join and saw you used Eventstats so I gave the below a try.
index=logs AND (sourcetype=Metrics OR (LogLevel=ERROR AND ErrorType="BAD_ORDER" ))
| eventstats count(eval(Name!="SUCCESS")) as bad_orders, count(eval(Name=="SUCCESS")) as good_orders | eval percent_bad=100*bad_orders/good_orders | where percent_bad > 20 |search ErrorType="BAD_ORDER", OrderNumber != NULL | table percent_bad, _time ,OrderNumber, ErrorMessage, ErrorMessage2
Seems like its working, I'll need to analyse more to see if the calculations are correct. If there is a better way, please share!
Thanks for your help!
Chris
Get Updates on the Splunk Community!
A Season of Skills: New Splunk Courses to Light Up Your Learning Journey
There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...
Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...
Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...
Splunk Observability for AI
Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!
Discover how Splunk’s agentic AI ...
