Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Need help in merging the queries

Aj01
Path Finder
‎11-20-2023 04:18 AM

Hi,

i need to add two queries so that they could come in different fields in one visualization, one will be the error and one will be success transaction.

 

index=sso Appid="APP-49" PROD ("Util.validateAuth" AND "METHOD_ENTRY")   - ERROR

index=sso Appid="APP-49" PROD ("RestTorHandler : hleError :" OR "java.net.SocketException: Connection reset]" OR "Error in processor call." OR level="error" NOT "resubmit the request")      - SUCCESS

 

need to add both the queries and provide the count for error and count for success but while using this query, sum of the error transaction level!=error so the error count is not matching.

index=ss Appid="APP-49" PROD ("Util.validateAuth" AND "METHOD_ENTRY") OR index=sso ("RestTorHandler : hleError :" OR "java.net.SocketException: Connection reset]" OR "Error in processor call." OR level="error" NOT "resubmit the request") 
| rex field=_raw " (?<service_name>\w+)-prod"
| eval err_flag = if(environment="nonprod", 1,0)
| eval success_flag = if(level!="ERROR", 1,0)
| stats sum(err_flag) as total_errors, sum(success_flag) as total_successes by service_name

 

Please help it would be great.

 

Labels (5)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-20-2023 04:30 AM

Try something like this

index=sso Appid="APP-49" PROD ("Util.validateAuth" AND "METHOD_ENTRY") OR ("RestTorHandler : hleError :" OR "java.net.SocketException: Connection reset]" OR "Error in processor call." OR level="error" NOT "resubmit the request")
| rex field=_raw " (?<service_name>\w+)-prod"
| eval err_flag = if(searchmatch("Util.validateAuth" AND "METHOD_ENTRY"), 1,0)
| eval success_flag = if(searchmatch("RestTorHandler : hleError :" OR "java.net.SocketException: Connection reset]" OR "Error in processor call." OR level="error" NOT "resubmit the request"), 1,0)
| stats sum(err_flag) as total_errors, sum(success_flag) as total_successes by service_name
Reply

Aj01
Path Finder
‎11-21-2023 04:57 AM

It is not working as if doesn't take AND and NOT in if command.

getting error : Error in 'EvalCommand': The expression is malformed. Expected ).

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-21-2023 05:30 AM

No, it's about the unescaped quotes in the searchmatch() argument. If it needs embedded strings, the quotes for those strings should be escaped.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...