Splunk Search

splunk search giving same results in table

leomedina
Explorer

Hello,

The below search is producing the same data for success and errors...

index=datapower ApplicationName="mpgw(OAuth-subscription)" "HTTP response code"
| lookup http_response_codes.csv response_code OUTPUT description
| stats count as Success by ApplicationName
| append [search index=datapower ApplicationName="mpgw(OAuth-subscription)" "HTTP response code" 
| stats count as Errors by ApplicationName]
| stats values(Success) as Success, values(Errors) as Errors by ApplicationName

1) How can I make this query output the data where it needs? Do I need to create multiple lookups (one for successful and one for errors)? My http_response_codes.csv has a ton of response codes. If so, how would that search look like? Greatly appreciate the help.

0 Karma
1 Solution

woodcock
Esteemed Legend

Try this:

 index=datapower ApplicationName="mpgw(OAuth-subscription)" "HTTP response code"
| lookup http_response_codes.csv response_code OUTPUT description
| stats count(eval(match(description, "success"))) AS Success count(eval(match(description, "error"))) AS Errors BY ApplicationName

View solution in original post

0 Karma

woodcock
Esteemed Legend

Try this:

 index=datapower ApplicationName="mpgw(OAuth-subscription)" "HTTP response code"
| lookup http_response_codes.csv response_code OUTPUT description
| stats count(eval(match(description, "success"))) AS Success count(eval(match(description, "error"))) AS Errors BY ApplicationName
0 Karma

leomedina
Explorer

Thank you Mr. Woodcock!

I made some minor modifications on my end but your guidance led me there. I ended up creating a new lookup csv with the status of success or fail in a separate column next to the http codes and was then able to use the above query.

Thanks again!

0 Karma

woodcock
Esteemed Legend

Be sure to Upvote any helpful answers and click Accept on the best one to close the Question and let others know what worked.

0 Karma

andrey2007
Contributor

Hello, leomedina

It looks that you should correct stats statement because now you count the same in first search and after append

1.index=datapower ApplicationName="mpgw(OAuth-subscription)" "HTTP response code"
...
| stats count as Success by ApplicationName

2.[search index=datapower ApplicationName="mpgw(OAuth-subscription)" "HTTP response code"
| stats count as Errors by ApplicationName]

but rename in different ways Success and Errors

May be you should try something like this to specify some way in first case only success and in second only errors

 index=datapower ApplicationName="mpgw(OAuth-subscription)" "HTTP response code"
 | lookup http_response_codes.csv response_code OUTPUT description
 | search description="*success*"
 | stats count as Success by ApplicationName
 | append [search index=datapower ApplicationName="mpgw(OAuth-subscription)" "HTTP response code" 
 | lookup http_response_codes.csv response_code OUTPUT description
 | search description="*error*"
 | stats count as Errors by ApplicationName]
0 Karma
Get Updates on the Splunk Community!

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...