Splunk Search

If I get ResultA adding "dedup" to my search and ResultB without it, how do I include both results on the same chart?

index=betas host="*433*" description="POSTULATION_SUCCESS" OR description="POSTULATION_FAIL" 
| dedup pnr 
| bucket _time span=1d 
| stats   count(eval(description="POSTULATION_SUCCESS")) as successes   count(eval(description="POSTULATION_FAIL")) as failures by _time 
| eval total=failures+successes 
| eval ratio=successes/total  
| fields - total successes failures

I get certain results when I add dedup pnr and certain results without it.

I'm interested in having them both on the same chart.

What would be a good approach for this?

EDIT: To make my point clearer

This

index=betas host="*433*" description="POSTULATION_SUCCESS" OR description="POSTULATION_FAIL" 
| dedup pnr 
| bucket _time span=1d 
| stats   count(eval(description="POSTULATION_SUCCESS")) as successes   count(eval(description="POSTULATION_FAIL")) as failures by _time 
| eval total=failures+successes 
| eval ratio=successes/total  
| fields - total successes failures

produces a chart like this:

alt text

And this:

index=betas host="*433*" description="POSTULATION_SUCCESS" OR description="POSTULATION_FAIL" 
| bucket _time span=1d 
| stats   count(eval(description="POSTULATION_SUCCESS")) as successes   count(eval(description="POSTULATION_FAIL")) as failures by _time 
| eval total=failures+successes 
| eval ratio=successes/total  
| fields - total successes failures

Note that the dedup is gone but the rest is identical produces this:

alt text

I need to put this to lines in the same chart.

Tags (2)
0 Karma
1 Solution

Esteemed Legend

Try this

index=betas host="*433*" description="POSTULATION_SUCCESS" OR description="POSTULATION_FAIL" | streamstats current=t count AS _serial by pnr | bucket _time span=1d | stats count(eval(description="POSTULATION_SUCCESS")) as successes count(eval(description="POSTULATION_FAIL")) as failures count(eval(description="POSTULATION_SUCCESS" AND _serial=1)) as last_successes count(eval(description="POSTULATION_FAIL" AND _serial=1)) as last_failures by _time | eval total=failures+successes | eval ratio=successes/total | eval last_total=last_failures+last_successes | eval last_ratio=last_successes/last_total | fields - *total *successes *failures

View solution in original post

Esteemed Legend

Try this

index=betas host="*433*" description="POSTULATION_SUCCESS" OR description="POSTULATION_FAIL" | streamstats current=t count AS _serial by pnr | bucket _time span=1d | stats count(eval(description="POSTULATION_SUCCESS")) as successes count(eval(description="POSTULATION_FAIL")) as failures count(eval(description="POSTULATION_SUCCESS" AND _serial=1)) as last_successes count(eval(description="POSTULATION_FAIL" AND _serial=1)) as last_failures by _time | eval total=failures+successes | eval ratio=successes/total | eval last_total=last_failures+last_successes | eval last_ratio=last_successes/last_total | fields - *total *successes *failures

View solution in original post

I am not exactly sure what you're doing there cause I'm pretty new to splunk, but it doesn't seem it is what I was looking for, I probably explained myself incorrectly.

I have updated my question to be more clear, I basically need to have ratio 1 that does not have deduplication by pnr, and have ratio 2 which has the deduplcation in the same chart, I think the update will make it much clearer.

0 Karma

Esteemed Legend

I had a typo in my answer which I have fixed. Yes, my answer should do exactly what you are saying. Try it again.

0 Karma

Also, shouldn't it be comma separated? I made it so and seems to work just fine, is there a difference?

0 Karma

Esteemed Legend

No difference (all commas are stripped).

This was exactly what I was after. Thanks a lot! There's only a slight problem with the fields (which I already solved but am curios about).

It seems that *successes doesn't get rid of the successes filed for some weird reason.

0 Karma