Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to group events and extract a field when group...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kevinkuszyk
Engager
11-20-2018
06:06 AM
We have some overnight jobs that run and log out to Splunk. On top of this, we have a dashboard which groups by the job id and extracts information like start time, end time, duration etc.
The query looks a bit like this:
index=foo | stats range(_time) as duration by job-id | table job-id duration
We now want to add a status column to tell us if the job completed or had an error. If any of the events in a grouping have a log level of ERROR it should show Error, otherwise it should show Ok.
I've tried this snippet:
eval status=if(in(level, "ERROR"), "Error", "Ok")
Which is fine for evaluating on each event, but I want the grouping to show either Error or Ok depending on values in the the level field for each group.
Is this possible in Splunk, and how should I write the query?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
11-20-2018
07:18 AM
@kevinkuszyk ,
Try this ,
|stats min(eval(if(level=="ERROR","Error","Ok"))) as status by group
OR
|stats count(eval(if(level=="ERROR",1,null()))) as status by group|eval status=if(status>0,"Error","Ok")
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
11-21-2018
08:12 AM
Maybe this:
index=foo
| stats range(_time) AS duration count(eval(level="ERROR")) AS Errors BY job-id
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
11-20-2018
04:19 PM
Like this:
Your base search here
| stats count(eval(level == "ERROR")) AS errors count AS total BY group
| eval non_errors = total - errors
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
11-20-2018
07:18 AM
@kevinkuszyk ,
Try this ,
|stats min(eval(if(level=="ERROR","Error","Ok"))) as status by group
OR
|stats count(eval(if(level=="ERROR",1,null()))) as status by group|eval status=if(status>0,"Error","Ok")
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
Get Updates on the Splunk Community!
Observe and Secure All Apps with Splunk
Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...
What’s New & Next in Splunk SOAR
Security teams today are dealing with more alerts, more tools, and more pressure than ever. Join us for an ...
Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud
Ready to master Kubernetes and cloud monitoring like the pros?
Join Splunk’s Growth Engineering team for an ...
