Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

deduct the count value of same filed with different values and show the difference value only in Pie chart

splunkvickyloui
Explorer
‎06-20-2014 09:33 PM

Hi,

My Log file has lot of error codes like ABC-12, ABC-15, ABC-28, ABC-43.... etc., Those errors may be duplicated. I have eliminated the duplicate with DEDUP as below.

In case of some transaction, occurrence on any DB error (which is ABC-15) in turn returns ABC-28 as per existing code behavior. So, whenever ABC-15 will occur ABC-28 is also getting printed in the logs. Hence we are getting wrong counts in Splunk for ABC-28. This deviation has to be corrected by ABC-28=(ABC-15 counts - ABC-28) OR ABC-28=(ABC-28 – ABC-15)(whichever is greater).

So the difference between the number of error code ABC-15 & ABC-28 will be the final value count for error code ABC-28

The below search query gives me the Error code counts for all the error codes except ABC-15 in pie chart. but the value of ABC-28 should have only the difference. how to get that?

source=my_app_log_prod_node* | rex field=_raw "(?(ajp-\d+.\d+.\d+.\d+-\d+-\d+))\sFinal\sDB\sErrorCode:(?\w+-\d+)" | dedup Transaction_ID Final_DB_Errorcode| search Final_DB_Errorcode!=ABC-15 | stats count by Final_DB_Errorcode | eval Final_DB_Errorcode=Final_DB_Errorcode. "(Count : " .count + ")"

0 Karma
Reply

somesoni2
Revered Legend
‎06-22-2014 12:32 PM

Try this

source=my_app_log_prod_node* | rex field=_raw "(?<transaction_id>(ajp-\d+\.\d+\.\d+\.\d+-\d+-\d+))sFinalsDBsErrorCode:(?<final_db_errorcode>\w+-\d+)" | dedup Transaction_ID Final_DB_Errorcode | eventstats count(eval(Final_DB_Errorcode="ABC-15")) as CountABC15| search Final_DB_Errorcode!=ABC-15 | stats count first(CountABC15) as CountABC15 by Final_DB_Errorcode | eval Final_DB_Errorcode=if(Final_DB_Errorcode="ABC-28",if(count>CountABC15,count-CountABC15,CountABC15-count),Final_DB_Errorcode)| eval Final_DB_Errorcode=Final_DB_Errorcode. "(Count : " .count + ")"
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...