Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

multiple sourcetype search and scoring

DonDandrea
Path Finder
‎06-25-2014 08:35 AM

I have been working on a search for a while and I am stumped.

I am searching two different source types. One value I am extracting is a stats count and the other is the sum of values from the other source type. I need to combine the results from the two based on a single field. The field exists in both source types but each has it's own name. If I do not rename it one of the two values is present. If I rename it then the other shows. I really need to get both of these values in and be able to run an eval on them to determine percentage to understand who is having the most problems using our software. The two fields that match are Agency and Agent.

index=dspro (sourcetype=telemetry(Version=PROD OR Version=BETA OR Version=ALPH)) OR (sourcetype=bootlogmaster (DSproSystem=Prod OR DSproSystem=Beta OR DSproSystem=Alph)) | rename Agent as Agency | stats sum(TotalTransactions) as transaction_count count(eval(sourcetype="bootlogmaster")) as error_count by Agency | eval percent=(error_count/transaction_count)*100 | sort by Agency
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎06-25-2014 09:25 AM

I would have expected the rename to work properly, but since it apparently didn't, try coalesce instead:

index=dspro (sourcetype=telemetry (Version=PROD OR Version=BETA OR Version=ALPH)) OR (sourcetype=bootlogmaster (DSproSystem=Prod OR DSproSystem=Beta OR DSproSystem=Alph)) 
| eval Agency=coalesce(Agency,Agent)
| stats sum(TotalTransactions) as transaction_count 
        count(eval(sourcetype="bootlogmaster")) as error_count by Agency 
| eval percent=(error_count/transaction_count)*100 
| sort by Agency

(BTW, it is entirely okay for a search to span multiple lines, just copy and paste this into the search box.)

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎06-25-2014 09:25 AM

I would have expected the rename to work properly, but since it apparently didn't, try coalesce instead:

index=dspro (sourcetype=telemetry (Version=PROD OR Version=BETA OR Version=ALPH)) OR (sourcetype=bootlogmaster (DSproSystem=Prod OR DSproSystem=Beta OR DSproSystem=Alph)) 
| eval Agency=coalesce(Agency,Agent)
| stats sum(TotalTransactions) as transaction_count 
        count(eval(sourcetype="bootlogmaster")) as error_count by Agency 
| eval percent=(error_count/transaction_count)*100 
| sort by Agency

(BTW, it is entirely okay for a search to span multiple lines, just copy and paste this into the search box.)

Reply
Solved! Jump to solution

DonDandrea
Path Finder
‎06-25-2014 11:55 AM

I would have never found this solution on my own since it is not in Splunk's List of search commands. I did a search and found documentation though. Thank you very much. I have been pulling my hair out trying to figure this out.

0 Karma
Reply
Solved! Jump to solution

DonDandrea
Path Finder
‎06-25-2014 08:42 AM

dded the space and came up with the same result.
index=dspro (sourcetype=telemetry (Version=PROD OR Version=BETA OR Version=ALPH)) OR (sourcetype=bootlogmaster (DSproSystem=Prod OR DSproSystem=Beta OR DSproSystem=Alph)) | rename Agent as Agency | stats sum(TotalTransactions) as transaction_count count(eval(sourcetype="bootlogmaster")) as error_count by Agency | eval percent=(error_count/transaction_count)*100 | sort by Agency

0 Karma
Reply
Solved! Jump to solution

grijhwani
Motivator
‎06-25-2014 08:39 AM

Edited to format the search. Incidentally you appear to be missing a space after "telemetry".

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...

Customer success is front and center at .conf25

Hi Splunkers, If you are not able to be at .conf25 in person, you can still learn about all the latest news ...