Hi Team, I have a simple requirement but unable to get it. I am using a query index=tms sourcetype=kafka type=ssh| stats count by NETYPE For above query I am getting output as below NETYPE Count CISCO 100 JUNIPER 200   However, I want output as CISCO JUNIPER 100 200   Can you please help how can I get above o/p table ... View more

Hi All,   I am trying to generate a output using stats command where I want to display table like below Hostname    FTName       Total      Error Code    Error_Count     Error_rate% ABC                 some_ft       1000       8945                300                       30.0 I used below query which is giving me output without Error Code, if I add Error_code in stats by command it is giving total count of that error code but I want total to be total request that Ft got and out of that 8945 error code got 300 errors. How to achieve this.   index=xyz sourcetype=app_team   log_message.FT=some_ft|rename log_message.CODE as FTCODE|stats count as Total_Requests ,count(eval(FTCODE=="8945")) as Errors by server_host, log_message.FT | eval Error_rate=round(Errors/Total_Requests*100,2).+"%"|rename log_message.FT as FT Hostname FT Total_Requests Errors Error_rate ABC some_ft 259 14 5.41       ... View more

Hi, I am trying to join to log files under same index & sourcetype having a common field between them.  log event where type=dte2_fios has below fields TRANID, ANALYSIS, WPID  (this is common field), COMMAND log event where type=dte4_fios has below fields REQID, FT, WPID (this is common field), DIP, DTE,FTC,ERR_MSG I need a table output with below fields and its corresponding value in each row TRANID  WPID, REQID,ANALYSIS ,COMMAND,FT,DIP,DTE,FTC,ERR_MSG   I used below query, but it is giving me multiple values for REQID & FT in single row as one WPID will have multiple REQID & FTs. I need separate row with all the above fields index=delb_np sourcetype="app_kafka_np_east" AND (function_name="dte2_fios" OR function_name="dte4_fios") | table _time @timestamp function_name log_message.WPID log_message.CID log_message.TN log_message.TRANID log_message.REQID log_message.ANALYSIS log_message.COMMAND log_message.DIP log_message.FT | stats values(log_message.TRANID) as TRANID, values(log_message.REQID) as REQID, values(log_message.ANALYSIS) as ANALYSIS, values(log_message.COMMAND) as COMMAND, values(log_message.DIP) as DIP, values(log_message.FT) as FT by log_message.WPID, log_message.CID ... View more

Hi, My scenario is that I have a set of commands and I have total hits & total failures for a command in last 30 mins. Let's say Command A has got 100 hits and out of it 30 got failed in last 30 mins now I want to check the same total hits & total failures of the same command previous 30 mins and if I see same then I want to check for more previous 30 mins and if I see same kind of failure % then I want to trigger an alert. How can I do this in splunk? ... View more