Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Need help on a query

mahesh27
Communicator
‎04-01-2024 05:31 PM

 

|msats sum(count-error) as Failed where index=metrics_index by service errorNumber errortype

 

Results:

serviceerrorNumbererrortypeFailed
aaca0fail8
aaca10pass1000
aaca25fail290
aaca120fail8
aaca80pass800
aaca200fail400
aaca210pass22
aaca500fail10
aaw120fail8
aaw80pass2000
aaw200fail3
aaw210pass56
aaw500fail22
aaw0pass0
www0fail8
www10pass1000
www25fail290
www120fail8
www80pass800
www200fail400
amb500fail10
amb120fail8
amb80pass2000
amb200fail3
amb210pass56
amb500fail22
amb0pass0
asf0fail8
asf10pass1000
asf0pass0
asf0fail8
asf10pass1000



But we want the output as shown below:
We need only top 4 errornumber show up along with the failed count

serviceerrorNumbererrortypeFailed
aaca0fail2538
10pass
25fail
120fail
80pass
200fail
210pass
500fail
aaw120fail2089
80pass
200fail
210pass
500fail
0pass
www0fail2506
10pass
25fail
120fail
80pass
200fail
amb500fail2099
120fail
80pass
200fail
210pass
500fail
0pass
asf0fail2016
10pass
0pass
0fail
10pass

 

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-03-2024 03:21 AM

Either your table is misaligned or you're trying to do something very non-obvious.

I don't understand what is the relation beetween this:

serviceerrorNumbererrortypeFailed
aaca0fail8
aaca10pass1000
aaca25fail290
aaca120fail8
aaca80pass800
aaca200fail400
aaca210pass22
aaca500fail10

And this:

serviceerrorNumbererrortypeFailed
aaca0fail2538
10pass
25fail
120fail
80pass
200fail
210pass
500fail

 

Also remember that Splunk is not Excel so you can't merge cells

0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎04-02-2024 09:43 PM

Hi @mahesh27,

You can filter results like below;

| mstats sum(count-error) as Failed where index=metrics_index by service errorNumber errortype | sort 4 - Failed

 

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...