Splunk Search

If I get ResultA adding "dedup" to my search and ResultB without it, how do I include both results on the same chart?

juanvarelagloba
Explorer
index=betas host="*433*" description="POSTULATION_SUCCESS" OR description="POSTULATION_FAIL" 
| dedup pnr 
| bucket _time span=1d 
| stats   count(eval(description="POSTULATION_SUCCESS")) as successes   count(eval(description="POSTULATION_FAIL")) as failures by _time 
| eval total=failures+successes 
| eval ratio=successes/total  
| fields - total successes failures

I get certain results when I add dedup pnr and certain results without it.

I'm interested in having them both on the same chart.

What would be a good approach for this?

EDIT: To make my point clearer

This

index=betas host="*433*" description="POSTULATION_SUCCESS" OR description="POSTULATION_FAIL" 
| dedup pnr 
| bucket _time span=1d 
| stats   count(eval(description="POSTULATION_SUCCESS")) as successes   count(eval(description="POSTULATION_FAIL")) as failures by _time 
| eval total=failures+successes 
| eval ratio=successes/total  
| fields - total successes failures

produces a chart like this:

alt text

And this:

index=betas host="*433*" description="POSTULATION_SUCCESS" OR description="POSTULATION_FAIL" 
| bucket _time span=1d 
| stats   count(eval(description="POSTULATION_SUCCESS")) as successes   count(eval(description="POSTULATION_FAIL")) as failures by _time 
| eval total=failures+successes 
| eval ratio=successes/total  
| fields - total successes failures

Note that the dedup is gone but the rest is identical produces this:

alt text

I need to put this to lines in the same chart.

Tags (2)
0 Karma
1 Solution

woodcock
Esteemed Legend

Try this

index=betas host="*433*" description="POSTULATION_SUCCESS" OR description="POSTULATION_FAIL" | streamstats current=t count AS _serial by pnr | bucket _time span=1d | stats count(eval(description="POSTULATION_SUCCESS")) as successes count(eval(description="POSTULATION_FAIL")) as failures count(eval(description="POSTULATION_SUCCESS" AND _serial=1)) as last_successes count(eval(description="POSTULATION_FAIL" AND _serial=1)) as last_failures by _time | eval total=failures+successes | eval ratio=successes/total | eval last_total=last_failures+last_successes | eval last_ratio=last_successes/last_total | fields - *total *successes *failures

View solution in original post

woodcock
Esteemed Legend

Try this

index=betas host="*433*" description="POSTULATION_SUCCESS" OR description="POSTULATION_FAIL" | streamstats current=t count AS _serial by pnr | bucket _time span=1d | stats count(eval(description="POSTULATION_SUCCESS")) as successes count(eval(description="POSTULATION_FAIL")) as failures count(eval(description="POSTULATION_SUCCESS" AND _serial=1)) as last_successes count(eval(description="POSTULATION_FAIL" AND _serial=1)) as last_failures by _time | eval total=failures+successes | eval ratio=successes/total | eval last_total=last_failures+last_successes | eval last_ratio=last_successes/last_total | fields - *total *successes *failures

juanvarelagloba
Explorer

I am not exactly sure what you're doing there cause I'm pretty new to splunk, but it doesn't seem it is what I was looking for, I probably explained myself incorrectly.

I have updated my question to be more clear, I basically need to have ratio 1 that does not have deduplication by pnr, and have ratio 2 which has the deduplcation in the same chart, I think the update will make it much clearer.

0 Karma

woodcock
Esteemed Legend

I had a typo in my answer which I have fixed. Yes, my answer should do exactly what you are saying. Try it again.

0 Karma

juanvarelagloba
Explorer

Also, shouldn't it be comma separated? I made it so and seems to work just fine, is there a difference?

0 Karma

woodcock
Esteemed Legend

No difference (all commas are stripped).

juanvarelagloba
Explorer

This was exactly what I was after. Thanks a lot! There's only a slight problem with the fields (which I already solved but am curios about).

It seems that *successes doesn't get rid of the successes filed for some weird reason.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...