Splunk Search

How do I rename field values and add up the count(*) if the value is the same?

Explorer

How do I rename field values, and if the values are same, add up the corresponding count value?

index="abc" earliest=-d latest=now StatusCode="4*" OR StatusCode="5*" OR StatusCode="206 *" OR StatusCode="3*"  | stats count(StatusCode) AS NoOfFailures by StatusCode

The result i get is

StatusCode               | count(StatusCode)
206 Partial Content      | 5
400 Bad Request          |  8
404 Not Found            | 3

Then i add rename for the fields

index="abc" earliest=-d latest=now StatusCode="4*" OR StatusCode="5*" OR StatusCode="206 *" OR StatusCode="3*"  | stats count(StatusCode) AS NoOfFailures by StatusCode | replace "404 Not Found" with "Medium", "206 Partial Content" with "Low", "400 Bad Request" with "Medium" | table StatusCode,NoOfFailures

The result i get is

StatusCode              | count(StatusCode)
LOW                     | 5
Medium                  |  8
Medium                  | 3

But the result i want is

StatusCode              | count(StatusCode)
LOW                     | 5
Medium                  |  11 

11 = 8+3 (i.e., I want all with value as medium to be in one row with the total number of count(*)

Can anybody help me how to do this?

0 Karma

hi @rohanmiskin

try like this index="abc" earliest=-d latest=now StatusCode="4*" OR StatusCode="5*" OR StatusCode="206 " OR StatusCode="3" | stats count(StatusCode) as NoOfFailures by StatusCode | replace "404 Not Found" with "Medium", "206 Partial Content" with "Low", "400 Bad Request" with "Medium" | table StatusCode,NoOfFailures |stats sum(NoOfFailures) as NoofFailure by StatusCode

0 Karma

Explorer

Yup, this works perfectly. Thank you.

0 Karma

SplunkTrust
SplunkTrust

Hi

Try this index="abc" earliest=-d latest=now StatusCode="4*" OR StatusCode="5*" OR StatusCode="206 " OR StatusCode="3" | eval statusSeverity = case(StatusCode=="404 Not Found", "Medium, StatusCode=="206 Partial Content", true(), "Unknown") | stats count by statusSeverity

0 Karma