Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to get count of successful events after failure?

Pjyoti
Engager
‎02-09-2023 07:35 AM

Hi,

I have a use case where in i want to find out how many download api failed for a given document and how many out of the failed were successful after subsequent call

I have no clue how to search this on splunk

right now I am finding the failed ones using the below query 

index=ty_ss “download/docIds?=“ “500”  | Rex “docId=(?<docId>.*)” | eval event_time = strftime() | table docIds, event_time

Labels (5)
Tags (1)
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎02-11-2023 01:20 AM

Hi @Pjyoti,

 

Can you please share a few log lines? Because it seems user and API return values should be extracted before analysis.

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

Pjyoti
Engager
‎02-11-2023 08:12 AM

sample logs attached

Tags (1)
Preview file
62 KB
0 Karma
Reply

Pjyoti
Engager
‎02-18-2023 07:58 AM

Hi any update ??

Can someone help

0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎02-09-2023 09:08 AM

Hi @Pjyoti,

You can use streamstats to count successful downloads by resetting on fail.

https://docs.splunk.com/Documentation/Splunk/9.0.3/SearchReference/Streamstats#The_reset_on_change_a...

Please try below sample; 

index=ty_ss 
| streamstats count as success_count by http_response reset_after=(http_response=500)
If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply

Pjyoti
Engager
‎02-10-2023 09:03 AM

I think my question was not clear so the requirement here is that I need to find the below things :

1. How many documents failed with 500 error which is straightforward 

2. how many documents failed first time for all users and after how many retries were they successful (if they were) or were they not retried at all ?

I am stuck at the second case

i am not understanding how do I group the document and show a retry number if it wasn’t retried at all then it should give 0 if the retries didn’t work they should give some other result and if the retries were successful after how many attempts were they successful.

0 Karma
Reply

Pjyoti
Engager
‎02-10-2023 09:04 AM

By successful I mean the api returned 200 for that doc for that user

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...