Hello folks,
Thanks to visit my question.
Users are getting two kinds of errors say A and B one at a time. Both cannot happen simultaneously. I want to get no of users facing both types of error.
Can anyone please suggest any possible query to get this data ?
Thanks in advance.
Hi @Sid_kum,
to do this you have to identify rules of errors, so if
You have to create a search like this:
index=your_index ("There's an error" OR "There's a second error")
| eval type=if(searchmatch("There's an error"),"A","B")
| stats dc(type) AS dc_type count(eval(type="A")) AS Err_A count(eval(type="B")) AS Err_B BY user
| where dc_type>1
Ciao.
Giuseppe
Thank you so @gcusello for you quick response.
So basically, I have my field error_type which can be error_type="There's an error" OR error_type="There's a second error" and I also have user_guid as splunk data to fill when it matches. Now I have to get those user_guid who have faced both the kinds of error.
Thanks!
Hi @Sid_kum,
in this case it's easier:
index=your_index (error_type="There's an error" OR error_type="There's a second error")
| stats dc(error_type) AS dc_error_type count(eval(error_type="There's an error")) AS Err_A count(eval(type="B")) AS Err_B BY user_guid
| where dc_error_type>1
Ciao.
Giuseppe
@gcusello thank you!
Hi @Sid_kum,
good for You, see next time!
If this answer solves your need, please, accept it for the other people of Community.
Ciao and happy splunking.
Giuseppe.
P.S.: Karma Points are appreciated 😉