Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to combine searches to generate stats of domai...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tlmayes
Contributor
01-17-2017
10:37 AM
I am attempting to combine two searches against a custom app within custom props.conf but am going in circles. Both searches are the same, with the exception of: Search1 is reporting on a "yes" or success statement, Search2 is reporting on a "no" or failed statement. I am trying to generate stats of domains with a success column and a failure column. Is there a better way?
Search 1
eventtype=some_events APP1
| search (*) (*) NOT ("filter expression")
| search "APP1 Version:" OR "MODULE: Report MESSAGE: Results:" OR "Response" system=*
| transaction system maxspan=24h
| eval completed=if(searchmatch("Results:"),"yes","no")
| search completed=yes
| rex field=system "[^.]*.(?.*)"
| stats count by FQDN
| sort -count
| rename count AS success
| dedup FQDN
Search 2
eventtype=some_events APP1
| search (*) (*) NOT ("filter expression")
| search "APP1 Version:" OR "MODULE: Report MESSAGE: Results:" OR "Response" system=*
| transaction system maxspan=24h
| eval completed=if(searchmatch("Results:"),"yes","no")
| search completed!=yes
| rex field=system "[^.]*.(?.*)"
| stats count by FQDN
| sort -count
| rename count AS failed
| dedup FQDN
Desired output:
FQDN Success Failed
domain1.com ## ##
domain2.com ## ##
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cmerriman
Super Champion
01-17-2017
10:41 AM
try something like this
eventtype=some_events APP1
| search () () NOT ("filter expression")
| search "APP1 Version:" OR "MODULE: Report MESSAGE: Results:" OR "Response" system=
| transaction system maxspan=24h
| eval completed=if(searchmatch("Results:"),"yes","no")
| rex field=system "[^.].(?.*)"
| stats count(eval(match(completed,"yes"))) as success count(eval(match(completed,"no"))) as failed by FQDN
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cmerriman
Super Champion
01-17-2017
10:41 AM
try something like this
eventtype=some_events APP1
| search () () NOT ("filter expression")
| search "APP1 Version:" OR "MODULE: Report MESSAGE: Results:" OR "Response" system=
| transaction system maxspan=24h
| eval completed=if(searchmatch("Results:"),"yes","no")
| rex field=system "[^.].(?.*)"
| stats count(eval(match(completed,"yes"))) as success count(eval(match(completed,"no"))) as failed by FQDN
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tlmayes
Contributor
01-17-2017
10:46 AM
Worked perfect. Greatly appreciated
Get Updates on the Splunk Community!
Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!
What are Community Office Hours?
Community Office Hours is an interactive 60-minute Zoom series where ...
[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events
This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...
Data Management Digest – December 2025
Welcome to the December edition of Data Management Digest!
As we continue our journey of data innovation, the ...
