Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

# of events in the result and stats count by <field>

bojjas
Observer
‎02-05-2021 08:34 AM

Hello all,

We are new to Splunk , learning and working SLO/SLIs defined for the application.  We are confused in the beginning itself at RESULTs from a SEARCH as below:

1,092 events (2/5/21 2:45:00.000 PM to 2/5/21 3:45:29.000 PM)
Failed 724
Success 722

Question : Failed and Success should match # 1,092 events or we are missing anything in the following SEARCH


sourcetype="cf:logmessage"
| fields msg.message
| spath
| rename msg.message as message
| eval "test" = case('message'="Finished running cron job.","Success" , 'message'="No trips ready to process.","Failed" , 1=0 , 'message')
| stats count(message) by test

We got a bunch of requirements, 1st requirement is to show up % of Success and % of Failed in Chart(May be a PIE chart).

Thanks and Regards,

Bojja

 

Labels (2)
Labels
0 Karma
Reply

saravanan90
Contributor
‎02-05-2021 09:32 AM

Check if the single event has mutilple values for message field.

sourcetype="cf:logmessage"
| fields msg.message
| spath
| rename msg.message as message | eval temp=mvcount(message) |  where temp > 1

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...