Splunk Search

# of events in the result and stats count by <field>

bojjas
Observer

Hello all,

We are new to Splunk , learning and working SLO/SLIs defined for the application.  We are confused in the beginning itself at RESULTs from a SEARCH as below:

1,092 events (2/5/21 2:45:00.000 PM to 2/5/21 3:45:29.000 PM)
Failed 724
Success 722

Question : Failed and Success should match # 1,092 events or we are missing anything in the following SEARCH


sourcetype="cf:logmessage"
| fields msg.message
| spath
| rename msg.message as message
| eval "test" = case('message'="Finished running cron job.","Success" , 'message'="No trips ready to process.","Failed" , 1=0 , 'message')
| stats count(message) by test

We got a bunch of requirements, 1st requirement is to show up % of Success and % of Failed in Chart(May be a PIE chart).

Thanks and Regards,

Bojja

 

Labels (2)
0 Karma

saravanan90
Contributor

Check if the single event has mutilple values for message field.

sourcetype="cf:logmessage"
| fields msg.message
| spath
| rename msg.message as message | eval temp=mvcount(message) |  where temp > 1

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...