Solved: How to combine multiple rows into one row

am2498 · ‎04-26-2021

Hi, I am new to splunk. I have a query to return the count of successes and failures

I have a field http_status that can either be 200 (success) or anything other than 200 (failure)

| stats count by http_status currently returns:

200 111

400 214

401 1

I want that anything other than 200 be grouped together as failure:

success 111

failure 215

Is there any way to do this?

gcusello · ‎04-26-2021

before the stats command, you have to define a new variable using eval and use this new variable in the stats command:

your_search
| eval status=if(http_status="200","success","failure")
| stats count BY status

Ciao.

Giuseppe

gcusello · ‎04-26-2021

before the stats command, you have to define a new variable using eval and use this new variable in the stats command:

your_search
| eval status=if(http_status="200","success","failure")
| stats count BY status

Ciao.

Giuseppe

How to combine multiple rows into one row