Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Inner search for database-fetched data

biju3705
New Member
‎12-19-2017 12:39 PM

I have fetching data to Splunk from a transaction tracker table. My scenario is as given below.

Here is the example of the table data I fetch:
alt text

From the above data I need to find the count of transactions with status="Failed" and do not have any "Success" status. From the above example, I should get the result as 1, since transaction Id 1000 was successful in later stages.

Could you please advise.

Preview file
1 KB
0 Karma
Reply

nikita_p
Contributor
‎12-19-2017 10:36 PM

Hi,
Can you try this if it helps?

...| stats values(Transation status) AS 'Status' values(Insert date time) AS Time BY "Transaction Id" | where Status="Failed"

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎12-19-2017 08:22 PM

HI @biju3705,

Can you please try this?

YOUR_SEARCH
| stats values(STATUS) as STATUS by TID
| where STATUS!="Success" AND STATUS="Failed"

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...