Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to get count of successful events after failure?

Pjyoti
Engager
‎02-09-2023 07:35 AM

Hi,

I have a use case where in i want to find out how many download api failed for a given document and how many out of the failed were successful after subsequent call

I have no clue how to search this on splunk

right now I am finding the failed ones using the below query 

index=ty_ss “download/docIds?=“ “500”  | Rex “docId=(?<docId>.*)” | eval event_time = strftime() | table docIds, event_time

Labels (5)
Tags (1)
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎02-11-2023 01:20 AM

Hi @Pjyoti,

 

Can you please share a few log lines? Because it seems user and API return values should be extracted before analysis.

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

Pjyoti
Engager
‎02-11-2023 08:12 AM

sample logs attached

Tags (1)
Preview file
62 KB
0 Karma
Reply

Pjyoti
Engager
‎02-18-2023 07:58 AM

Hi any update ??

Can someone help

0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎02-09-2023 09:08 AM

Hi @Pjyoti,

You can use streamstats to count successful downloads by resetting on fail.

https://docs.splunk.com/Documentation/Splunk/9.0.3/SearchReference/Streamstats#The_reset_on_change_a...

Please try below sample; 

index=ty_ss 
| streamstats count as success_count by http_response reset_after=(http_response=500)
If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply

Pjyoti
Engager
‎02-10-2023 09:03 AM

I think my question was not clear so the requirement here is that I need to find the below things :

1. How many documents failed with 500 error which is straightforward 

2. how many documents failed first time for all users and after how many retries were they successful (if they were) or were they not retried at all ?

I am stuck at the second case

i am not understanding how do I group the document and show a retry number if it wasn’t retried at all then it should give 0 if the retries didn’t work they should give some other result and if the retries were successful after how many attempts were they successful.

0 Karma
Reply

Pjyoti
Engager
‎02-10-2023 09:04 AM

By successful I mean the api returned 200 for that doc for that user

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...