Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to return count column in the existing search?

super_edition
Path Finder
‎05-16-2023 05:27 AM

Hello, 

I have below search query

 

 

index=my_index openshift_cluster="cluster009" sourcetype=openshift_logs openshift_namespace=my_ns 
("POST /online-shopping/debt_cart/v1 HTTP" 
OR "GET /online-shopping/debt_cart/v1/* HTTP"
OR "GET *online-shopping*debt_cart*productType* HTTP")
| eval Operations=case(
searchmatch("POST /online-shopping/debt_cart/v1 HTTP"),"create_cart",
searchmatch("GET /online-shopping/debt_cart/v1/*/summary HTTP"),"cart_summary",
searchmatch("GET *online-shopping*debt_cart*productType* HTTP"),"cart_productType",
match(_raw, "GET /online-shopping/debt_cart/v1/[^/ ?]+\sHTTP"),"getDebtCart")
| stats avg(processDuration) as average perc90(processDuration) as response90 by Operations 
| eval average=round(average,2),response90=round(response90,2)

 

 

which displays the data as below:

Operations average response90
create_cart 250 380
cart_summary 240 330
cart_productType 210 321
getDebtCart 260 365

 

Now I want to add the count of url pattern against each operation as below. I tried adding the count as part of stats. It is not working. 

Not sure how do I proceed.

Operations count average response90
create_cart 1919 250 380
cart_summary 2001 240 330
cart_productType 1971 210 321
getDebtCart 8162 260

365
Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-16-2023 05:40 AM

Please share the SPL you tried (which isn't working) and explain what results you did get?

View solution in original post

0 Karma
Reply
Solved! Jump to solution

super_edition
Path Finder
‎05-23-2023 12:16 AM

@ITWhisperer  there was an issue in my search parameter of my SPL which I fixed. it is now returning count as expected. Apart from that no change in the stats part of the query

| stats count as hits avg(processDuration) as average perc90(processDuration) as response90 by Operations

Thank you once again

 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-16-2023 05:40 AM

Please share the SPL you tried (which isn't working) and explain what results you did get?

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top