Hi!

Thanks for the great input and help. But what if I don't want the output data to be fake?

When I tried the above I wasn't getting any results.

| makeresults 
| eval raw="CustAcctSvcAsync-CustAcctAsyncPA::CCSubscrAsyncSvc-CCSubscriptionSvcPA::CCSubscrAsyncSvc-CCSubscriptionSvcPA-1::CDMSvcAsync-CDMSvcAsyncPA::CDMSvcAsync-1-CDMSvcAsyncPA::CDMSvcAsync-HeathCheck::CDMSvcAsync-1-HeathCheck-1::CDMSvcAsync-RetryPA::CDMSvcAsync-1-RetryPA-1::CDMSvcAsync-CDMSvcAsyncPA-1::CDMSvcAsync-1-CDMSvcAsyncPA-1" 
| makemv delim="::" raw 
| mvexpand raw 
| rex field=raw "^(?<InterfaceName>\S+)\s+(?<Count>\S+)$" 
| table InterfaceName, Count
| rename COMMENT AS "Everything above fakes your event data; everything below is your solution"
| rex field=InterfaceName mode=sed "s/[\-\d]+//g" 
| eval _time = now() 
| chart sum(Count) AS Count OVER _time BY InterfaceName 
| fields - _time

Ultimately I'd like to merge the corresponding fields together (i.e. CCSubscriptionSvcPA with CCSubscriptionSvcPA -1).

Not sure why I'm having such a difficult time with this one when it's worked with other things such as host.

Greatly appreciate the advice.

You need to replace all the stuff before and including the rename line with your base search and then it should work.

Nope 😕

index=tibco environment=Dev InterfaceName="CCSubscrAsyncSvc*" OR InterfaceName="CustAcctSvcAsync*" OR InterfaceName="CDMSvcAsync-CDMSvcAsyncPA*" OR InterfaceName="CDMSvcAsync-RetryPA*"
| rex field=InterfaceName mode=sed "s/[\-\d]+//g" 
| eval _time = now() 
| chart sum(Count) AS Count OVER _time BY InterfaceName 
| fields - _time

I went back 30 Days and it came back with No Results this time...

Hi Giuseppe,

That didn't work either.

Actual script:

index=tibco host=tus3eaiapppin22 OR host=tus3eaiapppin19 InterfaceName="CustAcctSvcAsync*" OR InterfaceName="CCSubscrAsyncSvc*" OR InterfaceName="CDMSvc*"
| eval ("status":"SUCCESS") OR ("ended successfully")="Success"

| eval (SYS_ERR_27001) OR (SYS_ERR_27002) OR (SYS_ERR_27004) OR (SYS_ERR_27011) OR (SYS_ERR_27012)="Errors"
| stats count as Success by InterfaceName, host

| append [search index=tibco host=tus3eaiapppin22 OR host=tus3eaiapppin19 InterfaceName="CustAcctSvcAsync*" OR InterfaceName="CCSubscrAsyncSvc*" OR InterfaceName="CDMSvc*" [error]
| stats count as Errors by InterfaceName, host ]

| stats values(Success) as Success, values(Errors) as Errors by InterfaceName, host
| fillnull Success, Errors | addtotals | eval "Success%"=round((Success/Total)*100,2)

| table InterfaceName, Success, Errors | sort - Success%

I also noticed that the query is only giving me the count of on Success... If I change the | stats count as Success by InterfaceName, host to | stats count as Errors by InterfaceName, host the same data is then moved to the errors column... 😕

Hi leomedina,
your evals are wrong:
syntax is

| eval fieldname=case(fieldname="case1",value1,fieldname="case2",value2,fieldname="case3",value3)

(see http://docs.splunk.com/Documentation/Splunk/6.5.3/SearchReference/Eval)

so I don't know if the fieldname is InterfaceName and which are the fileds in your conditions, so I use this field, if I'm wrong change fieldname and conditions:

...
| eval InterfaceName=if(status="SUCCESS" OR status="ended successfully","Success")
| eval InterfaceName=if(InterfaceName="SYS_ERR_27001" OR InterfaceName="SYS_ERR_27002" OR InterfaceName="SYS_ERR_27004" OR InterfaceName="SYS_ERR_27011" OR InterfaceName="SYS_ERR_27012","Errors" )
...

Bye.
Giuseppe

Hi there...

Please see my comment above...

Hi Giuseppe,

Please see my "almost forgot" comment above... I am attempting to reconcile a number of interface outputs/returns into a single individual output (eg. InterfaceName=data* returns data for several interface names data213, data 1 data2. I want to see the total of these in one simple output as "data ===bar graph=== count".

Greatly appreciate your help in advance.

Kind regards,

Leo