Splunk Search
Highlighted

How to combine searches to generate stats of domains with "success" and "failure" columns?

Communicator

I am attempting to combine two searches against a custom app within custom props.conf but am going in circles. Both searches are the same, with the exception of: Search1 is reporting on a "yes" or success statement, Search2 is reporting on a "no" or failed statement. I am trying to generate stats of domains with a success column and a failure column. Is there a better way?

Search 1

eventtype=some_events APP1
| search (*) (*) NOT ("filter expression") 
| search "APP1 Version:" OR "MODULE: Report MESSAGE: Results:" OR "Response" system=*
| transaction system maxspan=24h 
| eval completed=if(searchmatch("Results:"),"yes","no")  
| search completed=yes
| rex field=system "[^.]*.(?.*)" 
| stats count by FQDN 
| sort -count
| rename count AS success
| dedup FQDN

Search 2

eventtype=some_events APP1
| search (*) (*) NOT ("filter expression") 
| search "APP1 Version:" OR "MODULE: Report MESSAGE: Results:" OR "Response" system=*
| transaction system maxspan=24h 
| eval completed=if(searchmatch("Results:"),"yes","no")  
| search completed!=yes
| rex field=system "[^.]*.(?.*)" 
| stats count by FQDN 
| sort -count
| rename count AS failed
| dedup FQDN

Desired output:

FQDN                Success                        Failed
domain1.com         ##                             ##
domain2.com         ##                             ##
0 Karma
Highlighted

Re: How to combine searches to generate stats of domains with "success" and "failure" columns?

Super Champion

try something like this

eventtype=some_events APP1
| search () () NOT ("filter expression") 
| search "APP1 Version:" OR "MODULE: Report MESSAGE: Results:" OR "Response" system=
| transaction system maxspan=24h 
| eval completed=if(searchmatch("Results:"),"yes","no") 
| rex field=system "[^.].(?.*)" 
| stats count(eval(match(completed,"yes"))) as success count(eval(match(completed,"no"))) as failed by FQDN

View solution in original post

0 Karma
Highlighted

Re: How to combine searches to generate stats of domains with "success" and "failure" columns?

Communicator

Worked perfect. Greatly appreciated

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.