Solved: Re: Combining two search stats

adityapavan18 · ‎10-19-2011

Hi,

I have 2 search queries.

sourcetype="zzz" Accepted | stats count as SuccessCases

sourcetype="zzz" Rejected | stats count as FailureCases

Now i need to find the rqtion of both.How ca i do that.Can anyone help me here

kristian_kolb · ‎10-19-2011

Hi,

If Accepted and Rejected are extracted into a field, e.g. zzz_status or something similar, the following search might do the trick.

UPDATED AGAIN AGAIN: If you just want to count the occurence of success/fail, and the events within the log contain the string mentioned in your comment ( <ns:emailaccepted blah> or <ns:emailrejected blah blah> ), the search could be altered into;

sourcetype="zzz" | rex field=_raw "<ns:email(?<zzz_status>[^ ]+)| stats count(eval(zzz_status=="accepted")) AS Success count(eval(zzz_status=="rejected")) AS Fail | eval SuccessRatio=Success/Fail | table Success, Fail, SuccessToFailRatio

The rex statement above will find whatever is between "<ns:email" and the first blank space (" "), and call it zzz_status. Beware though that this would also match on <ns:email-server, <ns:emailaccount, <ns:emailAddress etc etc, so you might want to watch your step there...

hth,

Kristian

View solution in original post

kristian_kolb · ‎10-19-2011

Hi,

If Accepted and Rejected are extracted into a field, e.g. zzz_status or something similar, the following search might do the trick.

UPDATED AGAIN AGAIN: If you just want to count the occurence of success/fail, and the events within the log contain the string mentioned in your comment ( <ns:emailaccepted blah> or <ns:emailrejected blah blah> ), the search could be altered into;

sourcetype="zzz" | rex field=_raw "<ns:email(?<zzz_status>[^ ]+)| stats count(eval(zzz_status=="accepted")) AS Success count(eval(zzz_status=="rejected")) AS Fail | eval SuccessRatio=Success/Fail | table Success, Fail, SuccessToFailRatio

The rex statement above will find whatever is between "<ns:email" and the first blank space (" "), and call it zzz_status. Beware though that this would also match on <ns:email-server, <ns:emailaccount, <ns:emailAddress etc etc, so you might want to watch your step there...

hth,

Kristian

RicoSuave · ‎10-19-2011

you can use the xmlkv command to extract those key pairs.

adityapavan18 · ‎10-19-2011

textMessage sent:
ns:Response
ns:RID1234/ns:RID
ns:RQIDD201109191/ns:RQID

same way

textMessage sent :
ns:Response
ns:RID1234/ns:RID
ns:RQIDD201109191/ns:RQID

the logging happens where the actual payload starting with <ns:EmailAccepted but that is enclosed under TEXT

success scenarios have EmailAccepted

kristian_kolb · ‎10-19-2011

Could you submit a sample event or two. I believe that rex is the answer to your question.

adityapavan18 · ‎10-19-2011

Thanks Kristian.

But now i am stuck with one other problem, when i said Accepted (it is a part of XML tag), can you help how to extract XML tag name

Like my xml's having tags *Accepted are success scenario logs [eg: or ]

so i need to count all events with EmailAccepted in XML's

and then take a ratio

adityapavan18 · ‎10-19-2011

sorry i meant ratio of SuccessCases/FailureCases

Ayn · ‎10-19-2011

"rqtion" ?

Combining two search stats

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

Combining two search stats

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem