Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- stats count issue
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
krusovice
Path Finder
04-15-2018
08:07 PM
Hello,
I hit a problem in the query below. I believed I'm not allow to form the stat count 2 times in the query. The result of this query result 0 which is not the right answer expected. How can I achieve to get the % failed from the result of the regex?
index=*
| rex field=_raw "Request Name\=(?<request_name>[\w+]+)"
| rex field=_raw "Request type.*Id\=(?<>[toy\w+]+).*Type\=Toy"
| rex field=_raw "Request type.*Id\=(?<>[play\w+]+).*Type\=Play"
| rex field=_raw "Failed.*FailId\=(?<fail_count>[\w+]+)"
| stats count(request_name) as total, count(faild_count) as failed
| eval percentage=round(((failed/total)*100),2)."%"
| stats count(request_name) by "Total Request", count(toy) as "Toy Count", count(play) as "Play Count", count(failed_count) as "Failed Count", values(percentage) as "% Failed" by date_hour
My Expected table should look like this:
date_hour Total Request Toy Count Play Count Failed Count % Failed
1 50 30 10 10 20%
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
p_gurav
Champion
04-15-2018
09:05 PM
Can you try:
index=*
| rex field=_raw "Request Name\=(?<request_name>[\w+]+)"
| rex field=_raw "Request type.*Id\=(?<>[toy\w+]+).*Type\=Toy"
| rex field=_raw "Request type.*Id\=(?<>[play\w+]+).*Type\=Play"
| rex field=_raw "Failed.*FailId\=(?<fail_count>[\w+]+)"
| stats count(request_name) as "Total Request", count(toy) as "Toy Count", count(play) as "Play Count", count(failed_count) as "Failed Count" by date_hour
| eval percentage=round((('Failed Count'/'Total Request')*100),2)."%"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
p_gurav
Champion
04-15-2018
09:05 PM
Can you try:
index=*
| rex field=_raw "Request Name\=(?<request_name>[\w+]+)"
| rex field=_raw "Request type.*Id\=(?<>[toy\w+]+).*Type\=Toy"
| rex field=_raw "Request type.*Id\=(?<>[play\w+]+).*Type\=Play"
| rex field=_raw "Failed.*FailId\=(?<fail_count>[\w+]+)"
| stats count(request_name) as "Total Request", count(toy) as "Toy Count", count(play) as "Play Count", count(failed_count) as "Failed Count" by date_hour
| eval percentage=round((('Failed Count'/'Total Request')*100),2)."%"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
krusovice
Path Finder
04-15-2018
10:05 PM
It's works. Learning something new today.
Thanks 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
niketn
Legend
04-15-2018
10:37 PM
@krusovice , if possible you should also have single Regular Expression to fetch request_name, toy, play and failed_count from raw data, instead of performing rex extraction four times. Refer to .conf 2017 session on Beyond Regular Regular Expressions by @cpetterborg
Eventually you should convert regular expression based extractions as Fields Knowledge Object for easy maintenance and reuse.
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
| makeresults | eval message= "Happy Splunking!!!"
Get Updates on the Splunk Community!
Announcing Scheduled Export GA for Dashboard Studio
We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...
Extending Observability Content to Splunk Cloud
Watch Now!
In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...
