Splunk Search

Get Invidiual Totals when stats count has a field that logs errors

beriwalnishant
Path Finder

Hello Experts,

 

This is a long searches, explored query that I am getting a way around.


If we do a simple query like this

 

 

index=zzzzzz
| stats count as Total, count(eval(txnStatus="FAILED")) as "Failed_Count", count(eval(txnStatus="SUCCEEDED")) as "Passed_Count" by country, type, ProductCode
| fields country, ProductCode, type, Failed_Count, Passed_Count, Total

 

 

This above simple query gives me a result table where the total belongs to the specific country and productCode i.e. individual Total

Now there is this field 'errorinfo' -  what I want is that I want to show the 'errorinfo' if its "codeerror"  as well in the above list like this

 

index=zzzzzz
| stats count as Total, count(eval(txnStatus="FAILED")) as "Failed_Count", count(eval(txnStatus="SUCCEEDED")) as "Passed_Count" by country, type, ProductCode, errorinfo
| fields country, ProductCode, type, Failed_Count, Passed_Count, errorinfo, Total

 

This table shows results like this below

countryProductCodetypeFailed_CountPassed_CounterrorinfoTotal
usa1111c40wrong code value4
usa1111c60wrong field selected6
usa1111c060NA70

 

How can I do so that I can see the results like this where Total remains the complete total  of field txnStatus (FAILED+SUCCEEDED)

like below table - If I can achieve this I can do % total as well, if you see the Total belongs to one country - usa total shows usa total and canada total shows can total

 

countryProductCodetypeFailed_CounterrorinfoTotal
usa1111c4wrong code value70
usa1111c6wrong field selected70
can2221b2wrong entry50
can2221b6code not found50
countryProductCodetypeFailed_CounterrorinfoTotal
usa1111c4wrong code value70
usa1111c6wrong field selected70

 

 

Thanks in advance

Nishant

Labels (3)
0 Karma

beriwalnishant
Path Finder

This doesnt show you the Total, Total should mean here (txnStatus=FAILED+txnStatus="SUCCEEDED") 

With above solution the Total is only the total of 'FAILED' in txnStatus

I want total to be the absolute total (FAILED + SUCCEEDED)

0 Karma

yuanliu
SplunkTrust
SplunkTrust

The command you are looking for is still eventstats.

index=zzzzzz
| stats count as Total, count(eval(txnStatus="FAILED")) as "Failed_Count", count(eval(txnStatus="SUCCEEDED")) as "Passed_Count" by country, type, ProductCode, errorinfo
| eventstats sum(Total) as Total
| fields country, ProductCode, type, Failed_Count, Passed_Count, errorinfo, Total

It's all about how you group the results. 

0 Karma

yuanliu
SplunkTrust
SplunkTrust

The command you are looking for is eventstats.

index=zzzzzz
| stats count as Total, count(eval(txnStatus="FAILED")) as "Failed_Count", count(eval(txnStatus="SUCCEEDED")) as "Passed_Count" by country, type, ProductCode, errorinfo
| eventstats sum(Total) as Total by country
| fields country, ProductCode, type, Failed_Count, Passed_Count, errorinfo, Total

 

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...