How to edit my search to add subtotals for success...

shivarpith · ‎02-04-2016

What I have:

Time                   User        count     Error
2016-02-04 04:18:00 cinci     1  
2016-02-04 04:18:01 cfl
                       tampabay    2     
2016-02-04 04:18:03 nc        4  
2016-02-04 04:18:04             1         1

What I need:

Time                   User        count      Error
2016-02-04 04:18:00 cinci     1  
2016-02-04 04:18:01 cfl
                       tampabay    2     
2016-02-04 04:18:03 nc        4  
Total users                        7
2016-02-04 04:18:04             1          1
Time                   User        count      Error
2016-02-04 04:18:08 cinci     2
2016-02-04 04:18:10 cfl
                       tampabay    2     
2016-02-04 04:18:13 nc        4  
Total users                        8
....
...
...

..... so before every error, it has to give the total successful event counts based on user and timestamp.

My search:

index=prod user=* 
| fields user,_time
| stats count by user,_time 
| stats values(user) as Domain,sum(count) as Total by _time
| append [ search index=prod error="xyz"
| stats count by error,_time
| stats count(error) as Error,sum(count) as Total by _time]
| sort _time

somesoni2 · ‎02-04-2016

Try something like this

index=prod user=* 
 | fields user,_time
 | stats count by user,_time 
 | stats values(user) as Domain,sum(count) as Total by _time
 | append [ search index=prod error="xyz"
 | stats count by error,_time
 | stats count(error) as Error,sum(count) as Total by _time]
 | sort _time
 | eval temp=Error | fillnull temp value=0
 | accum temp | appendpipe [| stats max(_time) as _time sum(Total) as Total by  temp | eval Domain="***************Total Users"]
 | sort _time temp | fields - temp

How to edit my search to add subtotals for successful events by _time for every error?

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability