Splunk Search

If I get ResultA adding "dedup" to my search and ResultB without it, how do I include both results on the same chart?

juanvarelagloba
Explorer
index=betas host="*433*" description="POSTULATION_SUCCESS" OR description="POSTULATION_FAIL" 
| dedup pnr 
| bucket _time span=1d 
| stats   count(eval(description="POSTULATION_SUCCESS")) as successes   count(eval(description="POSTULATION_FAIL")) as failures by _time 
| eval total=failures+successes 
| eval ratio=successes/total  
| fields - total successes failures

I get certain results when I add dedup pnr and certain results without it.

I'm interested in having them both on the same chart.

What would be a good approach for this?

EDIT: To make my point clearer

This

index=betas host="*433*" description="POSTULATION_SUCCESS" OR description="POSTULATION_FAIL" 
| dedup pnr 
| bucket _time span=1d 
| stats   count(eval(description="POSTULATION_SUCCESS")) as successes   count(eval(description="POSTULATION_FAIL")) as failures by _time 
| eval total=failures+successes 
| eval ratio=successes/total  
| fields - total successes failures

produces a chart like this:

alt text

And this:

index=betas host="*433*" description="POSTULATION_SUCCESS" OR description="POSTULATION_FAIL" 
| bucket _time span=1d 
| stats   count(eval(description="POSTULATION_SUCCESS")) as successes   count(eval(description="POSTULATION_FAIL")) as failures by _time 
| eval total=failures+successes 
| eval ratio=successes/total  
| fields - total successes failures

Note that the dedup is gone but the rest is identical produces this:

alt text

I need to put this to lines in the same chart.

Tags (2)
0 Karma
1 Solution

woodcock
Esteemed Legend

Try this

index=betas host="*433*" description="POSTULATION_SUCCESS" OR description="POSTULATION_FAIL" | streamstats current=t count AS _serial by pnr | bucket _time span=1d | stats count(eval(description="POSTULATION_SUCCESS")) as successes count(eval(description="POSTULATION_FAIL")) as failures count(eval(description="POSTULATION_SUCCESS" AND _serial=1)) as last_successes count(eval(description="POSTULATION_FAIL" AND _serial=1)) as last_failures by _time | eval total=failures+successes | eval ratio=successes/total | eval last_total=last_failures+last_successes | eval last_ratio=last_successes/last_total | fields - *total *successes *failures

View solution in original post

woodcock
Esteemed Legend

Try this

index=betas host="*433*" description="POSTULATION_SUCCESS" OR description="POSTULATION_FAIL" | streamstats current=t count AS _serial by pnr | bucket _time span=1d | stats count(eval(description="POSTULATION_SUCCESS")) as successes count(eval(description="POSTULATION_FAIL")) as failures count(eval(description="POSTULATION_SUCCESS" AND _serial=1)) as last_successes count(eval(description="POSTULATION_FAIL" AND _serial=1)) as last_failures by _time | eval total=failures+successes | eval ratio=successes/total | eval last_total=last_failures+last_successes | eval last_ratio=last_successes/last_total | fields - *total *successes *failures

juanvarelagloba
Explorer

I am not exactly sure what you're doing there cause I'm pretty new to splunk, but it doesn't seem it is what I was looking for, I probably explained myself incorrectly.

I have updated my question to be more clear, I basically need to have ratio 1 that does not have deduplication by pnr, and have ratio 2 which has the deduplcation in the same chart, I think the update will make it much clearer.

0 Karma

woodcock
Esteemed Legend

I had a typo in my answer which I have fixed. Yes, my answer should do exactly what you are saying. Try it again.

0 Karma

juanvarelagloba
Explorer

Also, shouldn't it be comma separated? I made it so and seems to work just fine, is there a difference?

0 Karma

woodcock
Esteemed Legend

No difference (all commas are stripped).

juanvarelagloba
Explorer

This was exactly what I was after. Thanks a lot! There's only a slight problem with the fields (which I already solved but am curios about).

It seems that *successes doesn't get rid of the successes filed for some weird reason.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...