Splunk Search

Create Columns for Count of Events by Field Value

Explorer

I am having a bit of trouble figuring out how I can get what I am looking for when it comes to separating out successes and failures.

So what I have is event information that I would like count based on the value of an action field per individual host. The table in the dashboard would end up have the three columns of the host name, counting of the events that the action was successful, and counting of the events that were unsuccessful. I would like to do this as compactly in terms of the Splunk query. I am thinking of something like running an eval to establish fail or success from the action field itself in the stats area but I am open to other solutions.

Thanks for the help everyone.

0 Karma
1 Solution

Legend

Hi JeffBothel,
if you already have a field containing success or failure (called e.g. "result") it's easy to create a chart, if instead you don't have it you have to build it.
If you already have

index=your_index sourcetype=your_sourcetype
| chart count over result by host

if you haven't

index=your_index sourcetype=your_sourcetype
| eval result=if(Action="Success","Success","Failure")
| chart count over result by host

If your condition is multiple use case instead if

index=your_index sourcetype=your_sourcetype
| eval result=case(Action="Success","Success", Action="OK","Success", Action="Failure","Failure)
| chart count over result by host

Bye.
Giuseppe

View solution in original post

0 Karma

Legend

Hi JeffBothel,
if you already have a field containing success or failure (called e.g. "result") it's easy to create a chart, if instead you don't have it you have to build it.
If you already have

index=your_index sourcetype=your_sourcetype
| chart count over result by host

if you haven't

index=your_index sourcetype=your_sourcetype
| eval result=if(Action="Success","Success","Failure")
| chart count over result by host

If your condition is multiple use case instead if

index=your_index sourcetype=your_sourcetype
| eval result=case(Action="Success","Success", Action="OK","Success", Action="Failure","Failure)
| chart count over result by host

Bye.
Giuseppe

View solution in original post

0 Karma

Explorer

I think that I need to clarify; columns in a table that are showing the counted values in a table format. This would be in the form of host, count of success, count of failure with one in each column. Thus in the above creation of a result field I would need an evaluation of whether to count the information based on the value. What I am looking for is something like the following:

| table count(eval(if(action=="Success"))), count(eval(if(action=="Fail"))) by source

I do know that the above is not wanting to work in the method I am looking for but that is essentially it and I need it in a numerical format to do side by side comparisons of counts. As such thank you for the suggestion on a chart but a chart is not what is needed in my particular situation.

0 Karma

Legend

Hi
Sorry but I don't understand: you cannot use count in table command but only in statistical and charting functions.
In addition, You asked to diplay the count of successes and failures for each host and in your last search you use "by source" clause, what it means?

A search like this displays the count of successes and failures for each host, as you want:

index=your_index sourcetype=your_sourcetype
| eval result=if(action="Success","Success","Fail")
| chart count over host by result

Bye.
Giuseppe

0 Karma