Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get total and sub search total per unique field value?

watersd
Engager
‎07-16-2019 04:15 PM

I'm trying to chart the exception rate of various apps that we run, and would ideally be generating a table that looks like this:

App ID | Exception | Number of ops with this exception | Total number of ops for this app

However, I haven't quite been able to get it working. The closest I have is this:

... | stats count as total_count, count(exception) as exception_count by app_id, exception

This isn't quite right since it only finds operations where an exception isn't null. Thus, for every row in the output table, total_count = exception_count. It seems like I need to find all operations, then filters by app_id, then finds the total_count, then filter by exception, then find the exception_count. What's the best way to do this?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-27-2019 12:59 PM

Like this:

... | eval exception=coalesce(exception, "WAS_NULL") 
| stats count BY app_id, exception 
| eventstats sum(count) AS total_count BY app_id 
| search NOT exception="WAS_NULL"

See this run-anywhere PoC:

index=_internal 
| rename component AS exception, sourcetype AS app_id 
| eval exception=coalesce(exception, "WAS_NULL") 
| stats count BY app_id, exception 
| eventstats sum(count) AS total_count BY app_id 
| search NOT exception="WAS_NULL"

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-27-2019 12:59 PM

Like this:

... | eval exception=coalesce(exception, "WAS_NULL") 
| stats count BY app_id, exception 
| eventstats sum(count) AS total_count BY app_id 
| search NOT exception="WAS_NULL"

See this run-anywhere PoC:

index=_internal 
| rename component AS exception, sourcetype AS app_id 
| eval exception=coalesce(exception, "WAS_NULL") 
| stats count BY app_id, exception 
| eventstats sum(count) AS total_count BY app_id 
| search NOT exception="WAS_NULL"
Reply
Solved! Jump to solution

watersd
Engager
‎07-29-2019 10:07 AM

Amazing! That's exactly what I was looking for. Thanks!

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎07-16-2019 07:45 PM

@watersd for the community to assist you better please add more context to your question. Kindly add some mock/anonymized sample data for us to understand what values you have for app_id, exception and also what an event look like which does not have exception.
Can you try the following search where if an event has exception field it will be counted as exception? I have removed exception fields from split by field and moved it as aggregate function for counting when it is not null.

<yourCurrentSearch>
| stats count as total_count, count(eval(isnotnull(exception)) as exception_count by app_id
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

watersd
Engager
‎07-18-2019 10:42 AM

Thanks. I updated the question with more info. It seems like I do need the exception field in the split by clause eventually.

0 Karma
Reply
Solved! Jump to solution

nareshinsvu
Builder
‎07-16-2019 06:35 PM

Can you try sum instead of count?

| stats count as total_count, sum(exception) as exception_count by app_id

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...