Splunk Search

How to correlate across events, then aggregate by a different event?

toehser1
New Member

Something like,

DEBUG traceid=123 user=john
DEBUG traceid=123 result=200
DEBUG traceid=456 user=john
DEBUG traceid=456 result=400
DEBUG traceid=789 user=sue
DEBUG traceid=789 result=200
DEBUG traceid=abc user=john
DEBUG traceid=abc result=200

I want to get:
John success 2 failure 1
sue success 1 failure 0

0 Karma
1 Solution

masonmorales
Influencer

Try this:

| stats values(user) as user, values(result) as result by traceid
| stats count(result="200") as "success", count(result!="200") as "failure" by user

View solution in original post

masonmorales
Influencer

Try this:

| stats values(user) as user, values(result) as result by traceid
| stats count(result="200") as "success", count(result!="200") as "failure" by user
Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

 January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...