Splunk Search
Highlighted

HELP! Merging results from a search into a bar chart

Explorer

Hello,

I am trying to merge/concatenate the results of a field with a wild card into one. Your help is greatly appreciated.

Sample query:

index=tibco host=kewlbox OR host=QAbox InterfaceName="data" OR InterfaceName="from" OR InterfaceName="tibco"
| stats count as Success by InterfaceName, host

| append [search index=tibco host=kewlbox OR host=QAbox InterfaceName="data
" OR InterfaceName="from" OR InterfaceName="tibco" [error]
| stats count as Errors by InterfaceName, host ]

| stats values(Success) as Success, values(Errors) as Errors by InterfaceName, host
| fillnull Success, Errors | addtotals | eval "Success%"=round((Success/Total)*100,2)

| table InterfaceName, Success, Errors | sort - Success%

0 Karma
Highlighted

Re: HELP! Merging results from a search into a bar chart

Explorer

Almost forgot... Sample output today:

InterfaceName Count
data 213
data1 43
data2 125
from 32
from-1 09
tibco5 4
tibco3 7

Data that I would like to see is a compilation of everything named data into one with all of the values added; same for from and tibco. So at the end of the day we'll have data = 381 from = 41 and tibco = 11

Thanks again in advance.

0 Karma
Highlighted

Re: HELP! Merging results from a search into a bar chart

Legend

Hi leomedina,
I don't understand your need:
this search seems to be correct, what is the additional result you like?
what is the field with a wild card you are sayng?
Note that in the table command you forgot host!
Bye.
Giuseppe

0 Karma
Highlighted

Re: HELP! Merging results from a search into a bar chart

Explorer

Hi Giuseppe,

Please see my "almost forgot" comment above... I am attempting to reconcile a number of interface outputs/returns into a single individual output (eg. InterfaceName=data* returns data for several interface names data213, data 1 data2. I want to see the total of these in one simple output as "data ===bar graph=== count".

Greatly appreciate your help in advance.

Kind regards,

Leo

0 Karma
Highlighted

Re: HELP! Merging results from a search into a bar chart

Esteemed Legend

Break this apart line by line from the bottom up and you should be able to build what you need:

index=tibco host=kewlbox OR host=QAbox InterfaceName="data*" OR InterfaceName="from*" OR InterfaceName="tibco*"
| stats count AS Total count(eval(searchmatch("[error]"))) AS Errors BY InterfaceName host
| eval Success = Total - Errors
| stats sum(*) AS * BY InterfaceName
0 Karma
Highlighted

Re: HELP! Merging results from a search into a bar chart

Explorer

Hi there...

Please see my comment above...

0 Karma
Highlighted

Re: HELP! Merging results from a search into a bar chart

Legend

Hi leomedina,,
I hope to had understood your need, try this:

index=tibco host=kewlbox OR host=QAbox InterfaceName="data*" OR InterfaceName="from*" OR InterfaceName="tibco*"
| eval InterfaceName=case(InterfaceName="data*","data", InterfaceName="from*", "from", InterfaceName="tibco*","tibco")
| stats count as Success by InterfaceName, host 
| append [search index=tibco host=kewlbox OR host=QAbox InterfaceName="data*" OR InterfaceName="from*" OR InterfaceName="tibco*" [error] 
| eval InterfaceName=case(InterfaceName="data*","data", InterfaceName="from*", "from", InterfaceName="tibco*","tibco")
| stats count as Errors by InterfaceName, host ] 
| stats values(Success) as Success, values(Errors) as Errors by InterfaceName, host 
| fillnull Success, Errors | addtotals | eval "Success%"=round((Success/Total)*100,2) 
| table InterfaceName, Success, Errors | sort - Success%

Bye.
Giuseppe

0 Karma
Highlighted

Re: HELP! Merging results from a search into a bar chart

Explorer

Hi Giuseppe,

That didn't work either.

0 Karma
Highlighted

Re: HELP! Merging results from a search into a bar chart

Explorer

Actual script:

index=tibco host=tus3eaiapppin22 OR host=tus3eaiapppin19 InterfaceName="CustAcctSvcAsync" OR InterfaceName="CCSubscrAsyncSvc" OR InterfaceName="CDMSvc"
| eval ("status":"SUCCESS") OR ("ended successfully")="Success"

| eval (SYSERR27001) OR (SYSERR27002) OR (SYSERR27004) OR (SYSERR27011) OR (SYSERR27012)="Errors"
| stats count as Success by InterfaceName, host

| append [search index=tibco host=tus3eaiapppin22 OR host=tus3eaiapppin19 InterfaceName="CustAcctSvcAsync
" OR InterfaceName="CCSubscrAsyncSvc" OR InterfaceName="CDMSvc" [error]
| stats count as Errors by InterfaceName, host ]

| stats values(Success) as Success, values(Errors) as Errors by InterfaceName, host
| fillnull Success, Errors | addtotals | eval "Success%"=round((Success/Total)*100,2)

| table InterfaceName, Success, Errors | sort - Success%

I also noticed that the query is only giving me the count of on Success... If I change the | stats count as Success by InterfaceName, host to | stats count as Errors by InterfaceName, host the same data is then moved to the errors column... 😕

0 Karma
Highlighted

Re: HELP! Merging results from a search into a bar chart

Legend

Hi leomedina,
your evals are wrong:
syntax is

| eval fieldname=case(fieldname="case1",value1,fieldname="case2",value2,fieldname="case3",value3)

(see http://docs.splunk.com/Documentation/Splunk/6.5.3/SearchReference/Eval)

so I don't know if the fieldname is InterfaceName and which are the fileds in your conditions, so I use this field, if I'm wrong change fieldname and conditions:

...
| eval InterfaceName=if(status="SUCCESS" OR status="ended successfully","Success")
| eval InterfaceName=if(InterfaceName="SYS_ERR_27001" OR InterfaceName="SYS_ERR_27002" OR InterfaceName="SYS_ERR_27004" OR InterfaceName="SYS_ERR_27011" OR InterfaceName="SYS_ERR_27012","Errors" )
...

Bye.
Giuseppe

0 Karma