Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Total and Error count by Provider

rajkskumar
Explorer
‎09-28-2020 01:41 AM

I am trying to create a table which has Total number of events and the Error count in the events. The field 'services.errorCode' will be filled if there is an error, it will not be filled if the event is a success.

The below query gives me the correct count of Total, but the Error Count is always 0. I have verified in the Events and there are many events with the field errorCode filled.

index=prod | stats count as "Total", count(eval("services.errorCode"!=null)) as "Error Count" by services.serviceProviderName

Please guide me on how this could be done.

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-28-2020 04:48 AM

Putting the fieldname in double quotes just converts it to a string with the name of the field in. Try using single quotes as I suggested earlier

index=prod 
| eval error=if(isnull('services.errorCode'),0,1)
| stats count as "Total", sum(error) as "Error Count" by services.serviceProviderName

Single quotes are often needed for field names with dots in. 

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-28-2020 01:58 AM

Try single quotes around the field name

index=prod | stats count as "Total", count(eval('services.errorCode'!=null)) as "Error Count" by services.serviceProviderName
0 Karma
Reply
Solved! Jump to solution

rajkskumar
Explorer
‎09-28-2020 02:05 AM

Tried with single quotes, unfortunately, getting the same results.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-28-2020 02:12 AM

Other people have reported problems with eval within counts so you could try

index=prod 
| eval error=if(isnull(services.errorCode),0,1)
| stats count as "Total", sum(error) as "Error Count" by services.serviceProviderName

 

0 Karma
Reply
Solved! Jump to solution

rajkskumar
Explorer
‎09-28-2020 04:44 AM

It was not working. I have put the field name within Double quotes. Now, everything gets counted as error.

index=prod 
| eval error=if(isnull("services.errorCode"),0,1)
| stats count as "Total", sum(error) as "Error Count" by services.serviceProviderName

Instead of isnull, I also tried with checking the length, if it is zero.  That is not working as well. Total Event count and Error count is coming out the same.

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-28-2020 04:48 AM

Putting the fieldname in double quotes just converts it to a string with the name of the field in. Try using single quotes as I suggested earlier

index=prod 
| eval error=if(isnull('services.errorCode'),0,1)
| stats count as "Total", sum(error) as "Error Count" by services.serviceProviderName

Single quotes are often needed for field names with dots in. 

Reply
Solved! Jump to solution

rajkskumar
Explorer
‎09-28-2020 05:14 AM

Could you please suggest to me how to add the percentage of Errors against Total events?

 

index=ladedienst-prod 
| eval errorCount=if(isnull('services.errorCode'),0,1)
| stats count as "Total", sum(errorCount) as "Error Count" by services.serviceProviderName

I have tried with eval before the stats command. But, it was not working. 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-28-2020 05:23 AM 
index=ladedienst-prod 
| eval errorCount=if(isnull('services.errorCode'),0,1)
| stats count as "Total", sum(errorCount) as "Error Count" by services.serviceProviderName
| eval percent=round(('Error Count' * 100) / Total,2)

The calculation should be done after the stats command

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...