Splunk Search

How to write a query where I can show the success and failure of a status?

kiran331
Builder

H
Form the result of a asearch i get field status- success & failed, i need to show the count of success and failed

search= .....|stats count by server status
what it is:

table
server status count

server1 success 5
server1 failed 2

What i need:

server success failed

server1 5 2

Tags (1)
0 Karma
1 Solution

somesoni2
Revered Legend

Do like this

search= .....|chart count by server status

View solution in original post

0 Karma

somesoni2
Revered Legend

Do like this

search= .....|chart count by server status

View solution in original post

0 Karma

kiran331
Builder

Thanks for the answer! In the search i'm using the lookup, i need to get the NULL if there are no Logins at all

search i'm using:
index=abc .... |eval login=if(duration>10,"success","fail")|join type=outer server[|inputlookup IP.csv rename "IP Address" as server]|search "Owner"="xyz"|eval login=if(isnull(login) OR login="","No Logins",login)|chart count by server login

with this search i can only see the results which has success OR failed

In the lookup i have server's which will not have any of logins, for that i need to show "No logins'' in both success and failed fields. Can you help me with that?

0 Karma

somesoni2
Revered Legend

Try this

index=abc .... |search "Owner"="xyz" |eval login=if(duration>10,"success","fail") | chart count by server login 
| append [|inputlookup IP.csv |search "Owner"="xyz" | rename "IP Address" as server | table  server ] | stats values(*) as * by server | fillnull value="No Logins"
0 Karma

kiran331
Builder

Thanks! that worked

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!