- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to edit my stats search to display certain...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to edit my stats search to display certain fields based on a resulting value?
I have some data that looks like:
Status Rec_Cnt Message
OK 723 File produced 723 records
ERROR 123 Directory does not exist
What I want is for Status = "OK" to only display the Status and Rec_Cnt fields. If the status!="OK", then I want to display Status, Rec_Cnt and Message
so I tried
| ...base search...
| stats count by Status, Rec_Cnt
| where Status!="OK"
| stats count by Status, Rec_Cnt, Message
Which I didn't expect to work, and it did not. I know it is not that simple, but I am at a loss as to how to get what I am looking for.
Ideas on what I should try next?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How about this
| ...base search...
| stats count values(eval(Status="OK", "", Message)) as Message by Status, Rec_Cnt
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's much closer than what I had going on! Thanks
The only thing is that this is going to be a table on a dashboard panel, and there will only ever be 1 line of data (the latest event) displayed. I don't really want the NOC folks to see a message field unless there is a problem (status!=OK). The reason being is that after time, human nature will just glance up at the panel and will always see a "message" column (even a blank one) and discount it as normal, even if there is data displayed there.
Successful operations should just display 2 columns Status and Rec_Cnt, Message is for when there is an issue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In that case, try this (this is just a brain dump, please review and tweak as needed)
<dashboard>
<search id="panel_logic">
<query>... base search ... NOT (Status="OK")</query>
<earliest>@d</earliest>
<latest>now</latest>
<done>
<condition match="'job.resultCount' > 0">
<set token="show_error">true</set>
<unset token="exec_search" />
</condition>
<condition>
<unset token="show_error" />
<set token="exec_search">yes</set>
</condition>
</done>
</search>
<!--- this is the panel with query for success ONLY with 2 columns-->
<panel rejects="$show_error$>
<table>
<search>
...
</table>
<!--- this is the panel with query for success AND failure with 3 columns-->
<panel depends="$show_error$>
<table>
<search>
...
</table>
Now, depends & rejects will only show/hide the panel if criteria is met, the search for the panel will executE, resulting in 3 searches in your dashboard. to minimize the number of times search gets executed, add the following to the respective searches. This will cause the search to wait for these specific tokens to be set. You can hide these fields from final display.
Search for success only add eval exec_search="$exec_search$"
Search for error condition add, eval show_error="$show_error$"
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
