Splunk Search

Why is my table search not displaying the application name?

rajgowd1
Communicator

Hi,
i am trying to display success,error and others with percentage in a table but application name is not displaying with below search.

can we tune below search to display application name?

index=Myindex "|METRICS|" cf_org_name="CCN" cf_space_name="lab" cf_app_name="*"|stats count(eval(ResponseCode=200)) 
as Success, count(eval(ResponseCode!=200 AND ResponseCode!=400 AND ResponseCode!=401 AND ResponseCode!=403)) as Error, count(eval(ResponseCode=400 OR ResponseCode=403 OR ResponseCode=500)) as Others, count(ResponseCode) as Total
| eval Percent_Error=round(Error/ Total * 100, 1)| eval Percent_Success=round(Success/ Total * 100, 1)
|eval Percent_Others=round(Others/ Total * 100, 1)| eval Percent_Success=round(Percent_Success,2)|eval Percent_Error=round(Percent_Error,2)
|eval Percent_Others=round(Percent_Others,2)|rename _time as Time
 | table cf_app_name Total Success Error Others Percent_Error Percent_Success Percent_Others
0 Karma
1 Solution

rajgowd1
Communicator

i am able get application name in table,i corrected the query

can we represent same search or using below search and represent in different visualization other than table?

index=Myindex "|METRICS|" cf_org_name="CCN" cf_space_name="lab" cf_app_name="*"|stats count(eval(ResponseCode=200)) 
as Success, count(eval(ResponseCode!=200 AND ResponseCode!=400 AND ResponseCode!=401 AND ResponseCode!=403)) as Error, count(eval(ResponseCode=400 OR ResponseCode=403 OR ResponseCode=500)) as Others, count(ResponseCode) as Total by cf_app_name
| eval Percent_Error=round(Error/ Total 100, 1)| eval Percent_Success=round(Success/ Total 100, 1)
|eval Percent_Others=round(Others/ Total 100, 1)| eval Percent_Success=round(Percent_Success,2)|eval Percent_Error=round(Percent_Error,2)
|eval Percent_Others=round(Percent_Others,2)|rename _time as Time
| table cf_app_name Total Success Error Others Percent_Error Percent_Success Percent_Others

View solution in original post

0 Karma

rajgowd1
Communicator

i am able get application name in table,i corrected the query

can we represent same search or using below search and represent in different visualization other than table?

index=Myindex "|METRICS|" cf_org_name="CCN" cf_space_name="lab" cf_app_name="*"|stats count(eval(ResponseCode=200)) 
as Success, count(eval(ResponseCode!=200 AND ResponseCode!=400 AND ResponseCode!=401 AND ResponseCode!=403)) as Error, count(eval(ResponseCode=400 OR ResponseCode=403 OR ResponseCode=500)) as Others, count(ResponseCode) as Total by cf_app_name
| eval Percent_Error=round(Error/ Total 100, 1)| eval Percent_Success=round(Success/ Total 100, 1)
|eval Percent_Others=round(Others/ Total 100, 1)| eval Percent_Success=round(Percent_Success,2)|eval Percent_Error=round(Percent_Error,2)
|eval Percent_Others=round(Percent_Others,2)|rename _time as Time
| table cf_app_name Total Success Error Others Percent_Error Percent_Success Percent_Others
0 Karma

woodcock
Esteemed Legend

You should click Accept on your answer to close this question and then ask a new question.

0 Karma

rajgowd1
Communicator

sure,i got the answer.accepted

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Glad you were able to resolve your own issue. Based on your data, one string key and multiple number data points, you could create a column chart or bar chart for it. One problem that you may face is that you're displaying both count as percentage, and scale for both could be very different, I would suggest to limit your visualization to any one type, either count or percentage fields. (in last table command either use | table cf_app_name Total Success Error Others OR use | table cf_app_name Percent_Error Percent_Success Percent_Others

The line |rename _time as Time is dead code as after stats there is no _time field.

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...