Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to write a query where I can show the success and failure of a status?

kiran331
Builder
‎08-10-2016 07:38 AM

H
Form the result of a asearch i get field status- success & failed, i need to show the count of success and failed

search= .....|stats count by server status
what it is:

table
server status count

server1 success 5
server1 failed 2

What i need:

server success failed

server1 5 2

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-10-2016 07:46 AM

Do like this

search= .....|chart count by server status

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-10-2016 07:46 AM

Do like this

search= .....|chart count by server status
0 Karma
Reply
Solved! Jump to solution

kiran331
Builder
‎08-10-2016 08:16 AM

Thanks for the answer! In the search i'm using the lookup, i need to get the NULL if there are no Logins at all

search i'm using:
index=abc .... |eval login=if(duration>10,"success","fail")|join type=outer server[|inputlookup IP.csv rename "IP Address" as server]|search "Owner"="xyz"|eval login=if(isnull(login) OR login="","No Logins",login)|chart count by server login

with this search i can only see the results which has success OR failed

In the lookup i have server's which will not have any of logins, for that i need to show "No logins'' in both success and failed fields. Can you help me with that?

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎08-10-2016 08:43 AM

Try this

index=abc .... |search "Owner"="xyz" |eval login=if(duration>10,"success","fail") | chart count by server login 
| append [|inputlookup IP.csv |search "Owner"="xyz" | rename "IP Address" as server | table  server ] | stats values(*) as * by server | fillnull value="No Logins"
0 Karma
Reply
Solved! Jump to solution

kiran331
Builder
‎08-10-2016 09:49 AM

Thanks! that worked

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...