Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to modify the search query to get the count of fields separately?

man03359
Communicator
‎05-31-2023 02:22 AM

Hi,

I am relatively new to Splunk. I am trying to achieve the output as -

Store Register Success_Count Failure_Count Total
         
         
         
         

 

I am using the below search query -

index=idx-stores-pos sourcetype=GSTR:Adyen:log Success OR Failure
| eval Store= substr(host,1,7)        ---------   extracting store and register from the host
| eval Register= substr(host,8,2)
| rex field=_raw "AdyenPaymentResponse:.+\sResult\s:\s(?<Status>.+)"
| stats count as Status_Count by Status
| eventstats sum(Status_Count) AS Total

it is giving me this result -

Status Status_Count Total
Failure 23 597
Success 574 597
     

 

Please help!

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-31-2023 03:19 AM

HI @man03359,

there are two issues:

you have to use Store instead Status in the BY clause:

index=idx-stores-pos sourcetype=GSTR:Adyen:log Success OR Failure
| eval Store= substr(host,1,7)
| eval Register= substr(host,8,2)
| rex field=_raw "AdyenPaymentResponse:.+\sResult\s:\s(?<Status>.+)"
| stats 
   count(eval(Status="Success")) AS Success_Count
   count(eval(Status="Failure")) AS Failure_Count 
   BY Store
| eval Total= Success_Count + Failure_Count
| table Store Register Success_Count Failure_Count Total

Then, please check the host value and if Store and Register fields are correctly extracted: you can check this running the search in Verbose mode and viewing the interesting fields in the events tab. 

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-31-2023 02:29 AM

Hi @man03359,

please tri something like this:

index=idx-stores-pos sourcetype=GSTR:Adyen:log Success OR Failure
| eval Store= substr(host,1,7)
| eval Register= substr(host,8,2)
| rex field=_raw "AdyenPaymentResponse:.+\sResult\s:\s(?<Status>.+)"
| stats 
   values(Register) AS Register
   count(eval(Status="Success")) AS Success_Count 
   count(eval(Status="Failure")) AS Failure_Count 
   BY Store
| eventstats sum(Status_Count) AS Total

please check the real conditions for success and failure.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

man03359
Communicator
‎05-31-2023 03:11 AM

I modified my query to - 

index=idx-stores-pos sourcetype=GSTR:Adyen:log Success OR Failure
| eval Store= substr(host,1,7)
| eval Register= substr(host,8,2)
| rex field=_raw "AdyenPaymentResponse:.+\sResult\s:\s(?<Status>.+)"
| stats count(eval(Status="Success")) as Success_Count,count(eval(Status="Failure")) as Failure_Count by Status
| eval Total= Success_Count + Failure_Count
| table Store Register Success_Count Failure_Count Total

which is giving me result -

StoreRegisterSuccess_CountFailure_CountTotal
  03535
  8930893
     
     

 

not sure why Store and Register values are blank

0 Karma
Reply
Solved! Jump to solution

man03359
Communicator
‎05-31-2023 03:20 AM

I tried this query and its working 🙂 🙂

 

 index=idx-stores-pos sourcetype=GSTR:Adyen:log Success OR Failure
| eval Store= substr(host,1,7)
| eval Register= substr(host,8,2)
| rex field=_raw "AdyenPaymentResponse:.+\sResult\s:\s(?<Status>.+)"
| stats
count(eval(Status="Success")) AS Success_Count
count(eval(Status="Failure")) AS Failure_Count
BY Store Register
| eval Total= Success_Count + Failure_Count

 

THANKS A LOT ❤️

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-31-2023 03:25 AM

Hi @man03359 ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-31-2023 03:19 AM

HI @man03359,

there are two issues:

you have to use Store instead Status in the BY clause:

index=idx-stores-pos sourcetype=GSTR:Adyen:log Success OR Failure
| eval Store= substr(host,1,7)
| eval Register= substr(host,8,2)
| rex field=_raw "AdyenPaymentResponse:.+\sResult\s:\s(?<Status>.+)"
| stats 
   count(eval(Status="Success")) AS Success_Count
   count(eval(Status="Failure")) AS Failure_Count 
   BY Store
| eval Total= Success_Count + Failure_Count
| table Store Register Success_Count Failure_Count Total

Then, please check the host value and if Store and Register fields are correctly extracted: you can check this running the search in Verbose mode and viewing the interesting fields in the events tab. 

Ciao.

Giuseppe

Reply
Solved! Jump to solution

man03359
Communicator
‎05-31-2023 03:06 AM

Thank you so much for the help 🙂 The above search query is giving the output like which is correct, but the register value should be in separate rows as well - 

StoreRegisterSuccess_CountFailure_Count
tkg045202 04101
tkg045302 04140
tkg045903 04 0680
tkg047701 0370
tkg047902 03 05120
tkg048603 04 05 06 07150

 

where as I am expecting like --

StoreRegisterSuccess_CountFailure_CountTotal
tkg04522   
tkg04524   
     
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...