Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I rename field values and add up the count(*) if the value is the same?

rohanmiskin
Explorer
‎02-05-2019 01:28 AM

How do I rename field values, and if the values are same, add up the corresponding count value?

index="abc" earliest=-d latest=now StatusCode="4*" OR StatusCode="5*" OR StatusCode="206 *" OR StatusCode="3*"  | stats count(StatusCode) AS NoOfFailures by StatusCode

The result i get is 

StatusCode               | count(StatusCode)
206 Partial Content      | 5
400 Bad Request          |  8
404 Not Found            | 3

Then i add rename for the fields

index="abc" earliest=-d latest=now StatusCode="4*" OR StatusCode="5*" OR StatusCode="206 *" OR StatusCode="3*"  | stats count(StatusCode) AS NoOfFailures by StatusCode | replace "404 Not Found" with "Medium", "206 Partial Content" with "Low", "400 Bad Request" with "Medium" | table StatusCode,NoOfFailures

The result i get is

StatusCode              | count(StatusCode)
LOW                     | 5
Medium                  |  8
Medium                  | 3

But the result i want is 

StatusCode              | count(StatusCode)
LOW                     | 5
Medium                  |  11

11 = 8+3 (i.e., I want all with value as medium to be in one row with the total number of count(*)

Can anybody help me how to do this?

0 Karma
Reply

harishalipaka
Motivator
‎02-05-2019 02:14 AM

hi @rohanmiskin

try like this index="abc" earliest=-d latest=now StatusCode="4*" OR StatusCode="5*" OR StatusCode="206 " OR StatusCode="3" | stats count(StatusCode) as NoOfFailures by StatusCode | replace "404 Not Found" with "Medium", "206 Partial Content" with "Low", "400 Bad Request" with "Medium" | table StatusCode,NoOfFailures |stats sum(NoOfFailures) as NoofFailure by StatusCode

Thanks
Harish
0 Karma
Reply

rohanmiskin
Explorer
‎02-06-2019 03:29 AM

Yup, this works perfectly. Thank you.

0 Karma
Reply

chrisyounger
SplunkTrust
SplunkTrust
‎02-05-2019 01:50 AM

Hi

Try this index="abc" earliest=-d latest=now StatusCode="4*" OR StatusCode="5*" OR StatusCode="206 " OR StatusCode="3" | eval statusSeverity = case(StatusCode=="404 Not Found", "Medium, StatusCode=="206 Partial Content", true(), "Unknown") | stats count by statusSeverity

0 Karma
Reply
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...