Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to get overall stats if in a single log a particular event is missing?

Matinrokz
New Member
‎02-20-2018 03:10 AM

Hello There,

I am trying to get an overall stats for all the logs with a particular sourcetype, however in some sourcetye a particular event is missing from which i am applying a filter, for an example there are 10 (2 where test from my side, 5 success and 3 fail), if i have to filter out test there is only 1 way i.e. by locator now problem is for 'failure' locator does not get fired, hence if I apply a filter to exclude test, I am not getting stats of Failure as well, can anyone please help me how can i get overall stats by only excluding test and getting insights on both Success and fail?

below is the script which i am using.

sourcetype=book_resptime (locator!="TST*" OR locator!="TEST*") |
| stats count(book_success) AS Book, count(eval(book_success=0)) AS BookFail by connector

Thanks

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-20-2018 04:21 AM

Thank you!

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-20-2018 03:52 AM

Please don't tag questions with an app if they're not related to that app.

0 Karma
Reply

Matinrokz
New Member
‎02-20-2018 04:03 AM

Removed the app tag

0 Karma
Reply

493669
Super Champion
‎02-20-2018 03:18 AM

can you try like:

sourcetype=book_resptime (locator!="TST*" OR locator!="TEST*") |fillnull locator value=0| stats count(book_success) AS Book, count(eval(book_success=0)) AS BookFail by connector
0 Karma
Reply

Matinrokz
New Member
‎02-20-2018 03:26 AM

Hey Thanks for that, for Bookfail locator will not get fired, so it's not working.

0 Karma
Reply

493669
Super Champion
‎02-20-2018 03:28 AM

so by using fillnull you can fill null values...does this solves your issue?

0 Karma
Reply

Matinrokz
New Member
‎02-20-2018 03:30 AM

no, it's not working.

0 Karma
Reply

493669
Super Champion
‎02-20-2018 03:47 AM

if there are only 3 values then firstly you can try (locator="success" OR locator="fail")
then can you provide sample output of events

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-20-2018 03:13 AM

Is this related to the Regex IDS app?

0 Karma
Reply

Matinrokz
New Member
‎02-20-2018 03:44 AM

Not exactly, but if regex IDS can help to get that desired answer will install that.

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...