Solved: Re: Custom Search

Ash1 · ‎02-18-2024

query:

|tstats count where index=new_index host=new-host source=https://itcsr.welcome.com/logs* by PREFIX(status:) _time
|rename status: as Total_Status
|where isnotnull(Total_Status)
|eval SuccessCount=if(Total_Status="0", count, Success), FailedCount=if(Total_Status!="0", count, Failed)

OUTPUT:

Total_Status	_time	count	FailedCount	SuccessCount
0	2022-01-12 13:30	100		100
0	2022-01-12 13:00	200		200
0	2022-01-13 11:30	110		110
500	2022-01-13 11:00	2	2
500	2022-01-11 10:30	4	4
500	2022-01-11 10:00	8	8

But i want the output as shown below table:

_time	SuccessCount	FailedCount
2022-01-13	110	2
2022-01-12	300	0
2022-01-11	0	12

ITWhisperer · ‎02-18-2024

| bin _time span=1d
| stats sum(SuccessCount) as SuccessCount sum(FailedCount) as FailedCount by _time

View solution in original post

ITWhisperer · ‎02-18-2024

| bin _time span=1d
| stats sum(SuccessCount) as SuccessCount sum(FailedCount) as FailedCount by _time

Ash1 · ‎02-19-2024

Hi @ITWhisperer ,

Thank you it worked, but when there are no counts it's showing as empty values in table.

I used fillnull value=0, but it's not working.

How to do this???

ITWhisperer · ‎02-20-2024

Try something like this

| timechart span=1d sum(SuccessCount) as SuccessCount sum(FailedCount) as FailedCount

Ash1 · ‎02-25-2024

Thank you @ITWhisperer

Custom Search

tstats

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services