Re: How to edit my search to return a chart which ...

martingawantka · ‎02-27-2017

Hey Splunk community.

i want to create a search that returns a chart which counts the failed and successful service executions, group by service name.
As base i have several events of the following type:

{   [-] 
     hostname:   iawmsis03  
     logMessage:     KL_Kpos.priv.bma.clientManagement:sendToUmDestination(uuid=b0be3a9f-5adc-4339-8e86-ca0f148290a3:txid=d40ff865-2edb-4930-8808-8e6ef67b6aab:storeNumber=0112:action=reinstall:country=CZ) Service finished.  
     loggingTimestamp:   Mon Feb 27 11:56:01 CET 2017   
     packageName:    KL_Kpos    
     serviceName:    KL_Kpos.priv.bma.clientManagement:sendToUmDestination  
     severity:   INFO   
     uuid:   b0be3a9f-5adc-4339-8e86-ca0f148290a3   
}

I am able to extract only the failed services ( source="http:WebServiceCollector" logMessage="*Service failed*" ) and the finished services ( source="http:WebServiceCollector" logMessage="*Service finished*"). But i am not able to create a chart that shows the number of finished and failed services group by service name.

The search source="http:WebServiceCollector" | chart count(eval(logMessage="*Service finished*")) as finished, count(eval(logMessage="*Service failed*")) as failed by serviceName" always returns 0 for finished and failed.

Kind regards,
Martin

DalJeanis · ‎04-21-2017

Edited post to make the *'s show up in the sample code. Basically, you need a space between an open parenthesis and the accent mark that marks the code sample. (`)

cmerriman · ‎02-27-2017

can you try:
EDITED

 source="http:WebServiceCollector" |eval finished=if(logMessage="Service finished",1,0)|eval failed=if(logMessage="Service failed",1,0)| chart sum(finished) as finished sum(failed) as failed by serviceName

martingawantka · ‎02-28-2017

It is not working :-(.
I think the search has a problem with the two "*" in the search (Unfortunately both * are missing in my first post.

source="http:WebServiceCollector" |eval finished=if(logMessage="*Service failed*",1,0) | stats count(finished)
returns exactly the same value as
source="http:WebServiceCollector" |eval finished=if(logMessage="*Service finished*",1,0) | stats count(finished)

cmerriman · ‎04-21-2017

try this:

 source="http:WebServiceCollector" |eval finished=if(like(logMessage,"%Service finished%"),1,0)|eval failed=if(like(logMessage,"%Service failed%"),1,0)| chart sum(finished) as finished sum(failed) as failed by serviceName

martingawantka · ‎04-28-2017

This works perectly fine for me. Thank you very much.

cmerriman · ‎05-31-2017

If this answers your question, could you please accept it to finalize the question? Thanks 🙂

DalJeanis · ‎04-21-2017

upvote because I prefer the "like" syntax over the = with asterisks.

somesoni2 · ‎02-27-2017

I believe you want to use sum(finished) and sum(failed) in the stats instead of count. (or update 0 with null() in if conditions).

cmerriman · ‎02-27-2017

Thanks @somesoni2, I copied over the original syntax and forgot to change the counts.

How to edit my search to return a chart which counts failed and successful service executions and group by service name?

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine

Are you a member of the Splunk Community?

How to edit my search to return a chart which counts failed and successful service executions and group by service name?

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine