Hello There,
I am trying to get an overall stats for all the logs with a particular sourcetype, however in some sourcetye a particular event is missing from which i am applying a filter, for an example there are 10 (2 where test from my side, 5 success and 3 fail), if i have to filter out test there is only 1 way i.e. by locator now problem is for 'failure' locator does not get fired, hence if I apply a filter to exclude test, I am not getting stats of Failure as well, can anyone please help me how can i get overall stats by only excluding test and getting insights on both Success and fail?
below is the script which i am using.
sourcetype=book_resptime (locator!="TST*" OR locator!="TEST*") |
| stats count(book_success) AS Book, count(eval(book_success=0)) AS BookFail by connector
Thanks
Thank you!
Please don't tag questions with an app if they're not related to that app.
Removed the app tag
can you try like:
sourcetype=book_resptime (locator!="TST*" OR locator!="TEST*") |fillnull locator value=0| stats count(book_success) AS Book, count(eval(book_success=0)) AS BookFail by connector
Hey Thanks for that, for Bookfail locator will not get fired, so it's not working.
so by using fillnull you can fill null values...does this solves your issue?
no, it's not working.
if there are only 3 values then firstly you can try (locator="success" OR locator="fail")
then can you provide sample output of events
Is this related to the Regex IDS app?
Not exactly, but if regex IDS can help to get that desired answer will install that.