Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- join multiple searches into field values
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
join multiple searches into field values
I would like to create Cache_Hit, Cache_Miss and Revalidate_Hit based on the below and doisplay them in the pie graph with percentages and count values
Cache_ Hit is when the field event.cache.cacheHit=1 and the field event.cache.cacheStatus!=3
Cache_Miss is when the field event.cache.cacheHit=0 and the field event.cache.cacheStatus=3
Ravlidate_Hit is when the field event.cache.cacheHit=1 and the field event.cache.cacheStatus=3
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| makeresults count=20
| eval event.cache.cacheHit=random() % 2
| eval event.cache.cacheStatus=random() % 4
| table event*
| rename COMMENT as "this is sample, check this result"
| stats count(eval('event.cache.cacheHit'=1 AND 'event.cache.cacheStatus'!=3)) as Cache_Hit
, count(eval('event.cache.cacheHit'=0 AND 'event.cache.cacheStatus'=3)) as Cache_Miss
, count(eval('event.cache.cacheHit'=1 AND 'event.cache.cacheStatus'=3)) as Ravlidate_Hit
| transpose 0 column_name=Cache_status
| rename "row 1" as count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you so much for your reply but I get an error on the makeresults,
My search:
index="akamai-webcdn-afl-app-s"
| makeresults count=20
| eval event.cache.cacheHit=random() % 2
| eval event.cache.cacheStatus=random() % 4
| table event*
| rename COMMENT as "this is sample, check this result"
| stats count(eval('event.cache.cacheHit'=1 AND 'event.cache.cacheStatus'!=3)) as Cache_Hit, count(eval('event.cache.cacheHit'=0 AND 'event.cache.cacheStatus'=3)) as Cache_Miss, count(eval('event.cache.cacheHit'=1 AND 'event.cache.cacheStatus'=3)) as Ravlidate_Hit
| transpose 0 column_name=Cache_status
| rename "row 1" as count
The error:
Error in 'makeresults' command: This command must be the first command of a search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
