Solved: How to correlate across events, then aggregate by ...

toehser1 · ‎08-26-2019

Something like,

DEBUG traceid=123 user=john
DEBUG traceid=123 result=200
DEBUG traceid=456 user=john
DEBUG traceid=456 result=400
DEBUG traceid=789 user=sue
DEBUG traceid=789 result=200
DEBUG traceid=abc user=john
DEBUG traceid=abc result=200

I want to get:
John success 2 failure 1
sue success 1 failure 0

masonmorales · ‎08-26-2019

Try this:

| stats values(user) as user, values(result) as result by traceid
| stats count(result="200") as "success", count(result!="200") as "failure" by user

View solution in original post

masonmorales · ‎08-26-2019

Try this:

| stats values(user) as user, values(result) as result by traceid
| stats count(result="200") as "success", count(result!="200") as "failure" by user

How to correlate across events, then aggregate by a different event?

October Community Champions: A Shoutout to Our Contributors!

Community Content Calendar, November Edition

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Are you a member of the Splunk Community?

How to correlate across events, then aggregate by a different event?

October Community Champions: A Shoutout to Our Contributors!

Community Content Calendar, November Edition

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!