Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Custom Search

Ash1
Communicator
‎02-18-2024 11:59 AM

query:

|tstats count where index=new_index host=new-host source=https://itcsr.welcome.com/logs* by PREFIX(status:) _time
|rename status:  as Total_Status
|where isnotnull(Total_Status)
|eval SuccessCount=if(Total_Status="0", count, Success), FailedCount=if(Total_Status!="0", count, Failed)

OUTPUT:

Total_Status_timecountFailedCountSuccessCount
02022-01-12 13:30100 100
02022-01-12 13:00200 200
02022-01-13 11:30110 110
5002022-01-13 11:0022 
5002022-01-11 10:3044 
5002022-01-11 10:0088 

 

But i want the output as shown below table:

_timeSuccessCountFailedCount
2022-01-131102
2022-01-123000
2022-01-11012
Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-18-2024 12:08 PM 
| bin _time span=1d
| stats sum(SuccessCount) as SuccessCount sum(FailedCount) as FailedCount by _time

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-18-2024 12:08 PM 
| bin _time span=1d
| stats sum(SuccessCount) as SuccessCount sum(FailedCount) as FailedCount by _time
Reply
Solved! Jump to solution

Ash1
Communicator
‎02-19-2024 10:20 AM

Hi @ITWhisperer ,

Thank you it worked, but when there are no counts it's showing as empty values in table.

I used fillnull value=0, but it's not working.

How to do this???

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-20-2024 01:13 AM

Try something like this

| timechart span=1d sum(SuccessCount) as SuccessCount sum(FailedCount) as FailedCount
Reply
Solved! Jump to solution

Ash1
Communicator
‎02-25-2024 10:53 AM

Thank you @ITWhisperer 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...