Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I get separate count for one field and then show total count in the other column

mehwishw
New Member
‎08-31-2016 11:54 PM

Hi : I want a table something like :

API Code Count Total

API1 404 2 11

500 3
303 6
API2 404 4 14
500 10

alt text

my query is :

index=apigee sourcetype=facade channelId=* responseStatusCode>"399" | eval API=case(match(Referer,"./abc$") , "API1" , match(Referer,"./xyz$") , "API2" , match(Referer,".*/uvw$") , "API3") , response_failed=case(responseStatusCode>"399","failed")|stats values(responseStatusCode) as "Code" , count(responseStatusCode) as "Count",count(response_failed) as "Total" by API

I want separate count for values of responsetatusCode.

but currently I am getting :

API Code Count Total
API1 404 11 11
500

303

API2 404 14 14
500

alt text

Tags (3)
Preview file
4 KB
Preview file
4 KB
0 Karma
Reply

sundareshr
Legend
‎09-01-2016 06:09 AM

See if this works for you

index=apigee sourcetype=facade channelId= responseStatusCode>"399" 
| eval API=case(match(Referer,"./abc$") , "API1" , match(Referer,"./xyz$") , "API2" , match(Referer,"./uvw$") , "API3") , response_failed=case(responseStatusCode>"399","failed")
| eventstats count as Total by API
| stats count max(Total) as Total by API Code 
| stats values(Code) as Code values(count) as Count values(Total) as Total by API
| table API Code Count Total
0 Karma
Reply

mehwishw
New Member
‎09-01-2016 09:29 PM

I have changed a bit of your solution and now my code looks like :

index=apigee sourcetype=facade channelId= responseStatusCode>"399"
| eval API=case(match(Referer,"./abc$") , "API1" , match(Referer,"./xyz$") , "API2" , match(Referer,"./uvw$") , "API3") , response_failed=case(responseStatusCode>"399","failed")
|stats count(responseStatusCode) as "rescount" by API responseStatusCode | stats values(responseStatusCode) as "Code",count(response_failed) as "Total",values(rescount) as "Count" by API | table API Code Count Total

I am getting the separate count but getting 0 in the total tab

0 Karma
Reply

mehwishw
New Member
‎09-01-2016 10:09 PM

I am getting the desired value now here is my query :

index=apigee sourcetype=facade channelId= responseStatusCode>"399"
| eval API=case(match(Referer,"./abc$") , "API1" , match(Referer,"./xyz$") , "API2" , match(Referer,"./uvw$") , "API3") , response_failed=case(responseStatusCode>"399","failed")
stats count as "rescount" by API responseStatusCode
| stats values(responseStatusCode) as "Code",values(rescount) as "Count", sum(rescount) as "Total" by API

Thanks for the help 🙂

0 Karma
Reply

renjith_nair
Legend
‎09-01-2016 06:07 AM

Try this

index=apigee sourcetype=facade channelId= responseStatusCode>"399" | eval API=case(match(Referer,"./abc$") , "API1" , match(Referer,"./xyz$") , "API2" , match(Referer,"./uvw$") , "API3") , response_failed=case(responseStatusCode>"399","failed")|stats  count as "Count",count(response_failed) as "failedTotal" by API,responseStatusCode|eventstats sum(failedTotal) by API|fields - failedTotal

You might need to tune a bit,sorry no system to test at the moment

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

mehwishw
New Member
‎09-01-2016 10:10 PM

I am getting the desired value now here is my query :

index=apigee sourcetype=facade channelId= responseStatusCode>"399"
| eval API=case(match(Referer,"./abc$") , "API1" , match(Referer,"./xyz$") , "API2" , match(Referer,"./uvw$") , "API3") , response_failed=case(responseStatusCode>"399","failed")
stats count as "rescount" by API responseStatusCode
| stats values(responseStatusCode) as "Code",values(rescount) as "Count", sum(rescount) as "Total" by API

Thanks for the help 🙂

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...