Solved: Combining two search stats

adityapavan18 · ‎10-19-2011

Hi,

I have 2 search queries.

sourcetype="zzz" Accepted | stats count as SuccessCases

sourcetype="zzz" Rejected | stats count as FailureCases

Now i need to find the rqtion of both.How ca i do that.Can anyone help me here

kristian_kolb · ‎10-19-2011

Hi,

If Accepted and Rejected are extracted into a field, e.g. zzz_status or something similar, the following search might do the trick.

UPDATED AGAIN AGAIN: If you just want to count the occurence of success/fail, and the events within the log contain the string mentioned in your comment ( <ns:emailaccepted blah> or <ns:emailrejected blah blah> ), the search could be altered into;

sourcetype="zzz" | rex field=_raw "<ns:email(?<zzz_status>[^ ]+)| stats count(eval(zzz_status=="accepted")) AS Success count(eval(zzz_status=="rejected")) AS Fail | eval SuccessRatio=Success/Fail | table Success, Fail, SuccessToFailRatio

The rex statement above will find whatever is between "<ns:email" and the first blank space (" "), and call it zzz_status. Beware though that this would also match on <ns:email-server, <ns:emailaccount, <ns:emailAddress etc etc, so you might want to watch your step there...

hth,

Kristian

View solution in original post

kristian_kolb · ‎10-19-2011

Hi,

If Accepted and Rejected are extracted into a field, e.g. zzz_status or something similar, the following search might do the trick.

UPDATED AGAIN AGAIN: If you just want to count the occurence of success/fail, and the events within the log contain the string mentioned in your comment ( <ns:emailaccepted blah> or <ns:emailrejected blah blah> ), the search could be altered into;

sourcetype="zzz" | rex field=_raw "<ns:email(?<zzz_status>[^ ]+)| stats count(eval(zzz_status=="accepted")) AS Success count(eval(zzz_status=="rejected")) AS Fail | eval SuccessRatio=Success/Fail | table Success, Fail, SuccessToFailRatio

The rex statement above will find whatever is between "<ns:email" and the first blank space (" "), and call it zzz_status. Beware though that this would also match on <ns:email-server, <ns:emailaccount, <ns:emailAddress etc etc, so you might want to watch your step there...

hth,

Kristian

RicoSuave · ‎10-19-2011

you can use the xmlkv command to extract those key pairs.

adityapavan18 · ‎10-19-2011

textMessage sent:
ns:Response
ns:RID1234/ns:RID
ns:RQIDD201109191/ns:RQID

same way

textMessage sent :
ns:Response
ns:RID1234/ns:RID
ns:RQIDD201109191/ns:RQID

the logging happens where the actual payload starting with <ns:EmailAccepted but that is enclosed under TEXT

success scenarios have EmailAccepted

kristian_kolb · ‎10-19-2011

Could you submit a sample event or two. I believe that rex is the answer to your question.

adityapavan18 · ‎10-19-2011

Thanks Kristian.

But now i am stuck with one other problem, when i said Accepted (it is a part of XML tag), can you help how to extract XML tag name

Like my xml's having tags *Accepted are success scenario logs [eg: or ]

so i need to count all events with EmailAccepted in XML's

and then take a ratio

adityapavan18 · ‎10-19-2011

sorry i meant ratio of SuccessCases/FailureCases

Ayn · ‎10-19-2011

"rqtion" ?

Combining two search stats

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!