Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Aliasing and Graphing events at search

craigwilkinson
Path Finder
‎01-04-2017 08:38 PM

Hi All,

Apologies if this is too simple question and has been asked 100 times, But i can't seem to find the answer I'm looking for..

For the time being, I simply want to graph the number transaction status over time from a sourcetype which shows the following: "SUCCESS" "FAILED", "BLOCKED"...

However, for failed transactions, the data is coming in with failed status= "FAIL" or "FAILURE".

How can I make "FAILED = FAIL + FAILURE", and plot the status = SUCCESS & status = BLOCKED along side it?

I'm currently using the search:
sourcetype= mydata | stats count by status

As per below:

Cheers,

Craigalt text

Preview file
5 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

HiroshiSatoh
Champion
‎01-05-2017 01:22 AM

Try this!

sourcetype= mydata|eval status=if(status="FAIL" OR status="FAILER","FAILED",status) | stats count by status

View solution in original post

Reply
Solved! Jump to solution

jplumsdaine22
Influencer
‎01-05-2017 01:32 AM

Since Hiroshi beat me to it with eval, for completeness here is how you can do it with foreach 

sourcetype= mydata 
| stats count by status 
| foreach status [eval <<FIELD>> = if((<<FIELD>>=="FAIL" OR <<FIELD>>=="FAILURE"),"FAILED",<<FIELD>>) ] 
| stats sum(count) as count by status

See: http://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Foreach

Reply
Solved! Jump to solution

craigwilkinson
Path Finder
‎01-05-2017 03:31 PM

Thanks for the reply mate.

Interested to investigate this method a little further,

When I run your command, it doesn't seem to return any results :s

0 Karma
Reply
Solved! Jump to solution

jplumsdaine22
Influencer
‎01-06-2017 05:38 AM

interesting - it definately should!

Here's a run anywhere example:

|gentimes start=-1
| eval status="FAIL"
| stats count by status
 | foreach status [eval <<FIELD>> = if((<<FIELD>>=="FAIL" OR <<FIELD>>=="FAILURE"),"FAILED",<<FIELD>>) ] 
 | stats sum(count) as count by status
0 Karma
Reply
Solved! Jump to solution
Solution

HiroshiSatoh
Champion
‎01-05-2017 01:22 AM

Try this!

sourcetype= mydata|eval status=if(status="FAIL" OR status="FAILER","FAILED",status) | stats count by status

Reply
Solved! Jump to solution

jplumsdaine22
Influencer
‎01-05-2017 01:33 AM

Beat me to it!

0 Karma
Reply
Solved! Jump to solution

craigwilkinson
Path Finder
‎01-05-2017 03:27 PM

Awesome, thanks guys 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...