Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Combining two search stats

adityapavan18
Contributor
‎10-19-2011 04:28 AM

Hi,

I have 2 search queries.

sourcetype="zzz" Accepted | stats count as SuccessCases

sourcetype="zzz" Rejected | stats count as FailureCases

Now i need to find the rqtion of both.How ca i do that.Can anyone help me here

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎10-19-2011 06:24 AM

Hi,

If Accepted and Rejected are extracted into a field, e.g. zzz_status or something similar, the following search might do the trick.

UPDATED AGAIN AGAIN: If you just want to count the occurence of success/fail, and the events within the log contain the string mentioned in your comment ( <ns:emailaccepted blah> or <ns:emailrejected blah blah> ), the search could be altered into;

sourcetype="zzz" | rex field=_raw "<ns:email(?<zzz_status>[^ ]+)| stats count(eval(zzz_status=="accepted")) AS Success count(eval(zzz_status=="rejected")) AS Fail | eval SuccessRatio=Success/Fail | table Success, Fail, SuccessToFailRatio

The rex statement above will find whatever is between "<ns:email" and the first blank space (" "), and call it zzz_status. Beware though that this would also match on <ns:email-server, <ns:emailaccount, <ns:emailAddress etc etc, so you might want to watch your step there...

hth,

Kristian

View solution in original post

Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎10-19-2011 06:24 AM

Hi,

If Accepted and Rejected are extracted into a field, e.g. zzz_status or something similar, the following search might do the trick.

UPDATED AGAIN AGAIN: If you just want to count the occurence of success/fail, and the events within the log contain the string mentioned in your comment ( <ns:emailaccepted blah> or <ns:emailrejected blah blah> ), the search could be altered into;

sourcetype="zzz" | rex field=_raw "<ns:email(?<zzz_status>[^ ]+)| stats count(eval(zzz_status=="accepted")) AS Success count(eval(zzz_status=="rejected")) AS Fail | eval SuccessRatio=Success/Fail | table Success, Fail, SuccessToFailRatio

The rex statement above will find whatever is between "<ns:email" and the first blank space (" "), and call it zzz_status. Beware though that this would also match on <ns:email-server, <ns:emailaccount, <ns:emailAddress etc etc, so you might want to watch your step there...

hth,

Kristian

Reply
Solved! Jump to solution

RicoSuave
Builder
‎10-19-2011 10:13 AM

you can use the xmlkv command to extract those key pairs.

0 Karma
Reply
Solved! Jump to solution

adityapavan18
Contributor
‎10-19-2011 09:23 AM

textMessage sent:
ns:Response
ns:RID1234/ns:RID
ns:RQIDD201109191/ns:RQID

same way

textMessage sent :
ns:Response
ns:RID1234/ns:RID
ns:RQIDD201109191/ns:RQID

the logging happens where the actual payload starting with <ns:EmailAccepted but that is enclosed under TEXT

success scenarios have EmailAccepted

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎10-19-2011 08:14 AM

Could you submit a sample event or two. I believe that rex is the answer to your question.

0 Karma
Reply
Solved! Jump to solution

adityapavan18
Contributor
‎10-19-2011 06:53 AM

Thanks Kristian.

But now i am stuck with one other problem, when i said Accepted (it is a part of XML tag), can you help how to extract XML tag name

Like my xml's having tags *Accepted are success scenario logs [eg: or ]

so i need to count all events with EmailAccepted in XML's

and then take a ratio

0 Karma
Reply
Solved! Jump to solution

adityapavan18
Contributor
‎10-19-2011 06:13 AM

sorry i meant ratio of SuccessCases/FailureCases

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎10-19-2011 05:07 AM

"rqtion" ?

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...