Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to edit my search to return a chart which counts failed and successful service executions and group by service name?

martingawantka
New Member
‎02-27-2017 03:03 AM

Hey Splunk community.

i want to create a search that returns a chart which counts the failed and successful service executions, group by service name.
As base i have several events of the following type:

{   [-] 
     hostname:   iawmsis03  
     logMessage:     KL_Kpos.priv.bma.clientManagement:sendToUmDestination(uuid=b0be3a9f-5adc-4339-8e86-ca0f148290a3:txid=d40ff865-2edb-4930-8808-8e6ef67b6aab:storeNumber=0112:action=reinstall:country=CZ) Service finished.  
     loggingTimestamp:   Mon Feb 27 11:56:01 CET 2017   
     packageName:    KL_Kpos    
     serviceName:    KL_Kpos.priv.bma.clientManagement:sendToUmDestination  
     severity:   INFO   
     uuid:   b0be3a9f-5adc-4339-8e86-ca0f148290a3   
}

I am able to extract only the failed services ( source="http:WebServiceCollector" logMessage="*Service failed*" ) and the finished services ( source="http:WebServiceCollector" logMessage="*Service finished*"). But i am not able to create a chart that shows the number of finished and failed services group by service name.

The search source="http:WebServiceCollector" | chart count(eval(logMessage="*Service finished*")) as finished, count(eval(logMessage="*Service failed*")) as failed by serviceName" always returns 0 for finished and failed.

Kind regards,
Martin

0 Karma
Reply

DalJeanis
Legend
‎04-21-2017 07:48 AM

Edited post to make the *'s show up in the sample code. Basically, you need a space between an open parenthesis and the accent mark that marks the code sample. (`)

0 Karma
Reply

cmerriman
Super Champion
‎02-27-2017 06:20 AM

can you try:
EDITED

 source="http:WebServiceCollector" |eval finished=if(logMessage="Service finished",1,0)|eval failed=if(logMessage="Service failed",1,0)| chart sum(finished) as finished sum(failed) as failed by serviceName
Reply

martingawantka
New Member
‎02-28-2017 12:02 AM

It is not working :-(.
I think the search has a problem with the two "*" in the search (Unfortunately both * are missing in my first post.

source="http:WebServiceCollector" |eval finished=if(logMessage="*Service failed*",1,0) | stats count(finished)
returns exactly the same value as
source="http:WebServiceCollector" |eval finished=if(logMessage="*Service finished*",1,0) | stats count(finished)

0 Karma
Reply

cmerriman
Super Champion
‎04-21-2017 04:32 AM

try this:

 source="http:WebServiceCollector" |eval finished=if(like(logMessage,"%Service finished%"),1,0)|eval failed=if(like(logMessage,"%Service failed%"),1,0)| chart sum(finished) as finished sum(failed) as failed by serviceName
Reply

martingawantka
New Member
‎04-28-2017 01:23 AM

This works perectly fine for me. Thank you very much.

0 Karma
Reply

cmerriman
Super Champion
‎05-31-2017 08:23 AM

If this answers your question, could you please accept it to finalize the question? Thanks 🙂

0 Karma
Reply

DalJeanis
Legend
‎04-21-2017 07:46 AM

upvote because I prefer the "like" syntax over the = with asterisks.

0 Karma
Reply

somesoni2
Revered Legend
‎02-27-2017 11:54 AM

I believe you want to use sum(finished) and sum(failed) in the stats instead of count. (or update 0 with null() in if conditions).

Reply

cmerriman
Super Champion
‎02-27-2017 12:13 PM

Thanks @somesoni2, I copied over the original syntax and forgot to change the counts.

0 Karma
Reply
Get Updates on the Splunk Community!

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

Overwhelmed SOC? Splunk ES Has Your Back Tool sprawl, alert fatigue, and endless context switching are making ...

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us on ...

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...