Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Need help on a query

mahesh27
Communicator
‎04-01-2024 05:31 PM

 

|msats sum(count-error) as Failed where index=metrics_index by service errorNumber errortype

 

Results:

serviceerrorNumbererrortypeFailed
aaca0fail8
aaca10pass1000
aaca25fail290
aaca120fail8
aaca80pass800
aaca200fail400
aaca210pass22
aaca500fail10
aaw120fail8
aaw80pass2000
aaw200fail3
aaw210pass56
aaw500fail22
aaw0pass0
www0fail8
www10pass1000
www25fail290
www120fail8
www80pass800
www200fail400
amb500fail10
amb120fail8
amb80pass2000
amb200fail3
amb210pass56
amb500fail22
amb0pass0
asf0fail8
asf10pass1000
asf0pass0
asf0fail8
asf10pass1000



But we want the output as shown below:
We need only top 4 errornumber show up along with the failed count

serviceerrorNumbererrortypeFailed
aaca0fail2538
10pass
25fail
120fail
80pass
200fail
210pass
500fail
aaw120fail2089
80pass
200fail
210pass
500fail
0pass
www0fail2506
10pass
25fail
120fail
80pass
200fail
amb500fail2099
120fail
80pass
200fail
210pass
500fail
0pass
asf0fail2016
10pass
0pass
0fail
10pass

 

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-03-2024 03:21 AM

Either your table is misaligned or you're trying to do something very non-obvious.

I don't understand what is the relation beetween this:

serviceerrorNumbererrortypeFailed
aaca0fail8
aaca10pass1000
aaca25fail290
aaca120fail8
aaca80pass800
aaca200fail400
aaca210pass22
aaca500fail10

And this:

serviceerrorNumbererrortypeFailed
aaca0fail2538
10pass
25fail
120fail
80pass
200fail
210pass
500fail

 

Also remember that Splunk is not Excel so you can't merge cells

0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎04-02-2024 09:43 PM

Hi @mahesh27,

You can filter results like below;

| mstats sum(count-error) as Failed where index=metrics_index by service errorNumber errortype | sort 4 - Failed

 

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Building on the foundation established in our initial Value Insights releases, we are introducing the Savings ...

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...