Activity Feed
- Posted Re: Combining and summing the results of two searches on Splunk Search. 06-16-2015 10:44 AM
- Posted Re: Combining and summing the results of two searches on Splunk Search. 06-16-2015 10:44 AM
- Posted Re: Combining and summing the results of two searches on Splunk Search. 06-16-2015 10:44 AM
- Posted Combining and summing the results of two searches on Splunk Search. 06-15-2015 05:05 PM
- Tagged Combining and summing the results of two searches on Splunk Search. 06-15-2015 05:05 PM
- Tagged Combining and summing the results of two searches on Splunk Search. 06-15-2015 05:05 PM
- Posted Re: Joining two logs by two common fields and output the values as a table on Splunk Search. 06-12-2015 10:20 AM
- Posted Joining two logs by two common fields and output the values as a table on Splunk Search. 06-10-2015 06:20 PM
- Tagged Joining two logs by two common fields and output the values as a table on Splunk Search. 06-10-2015 06:20 PM
- Tagged Joining two logs by two common fields and output the values as a table on Splunk Search. 06-10-2015 06:20 PM
- Tagged Joining two logs by two common fields and output the values as a table on Splunk Search. 06-10-2015 06:20 PM
- Posted Re: How to edit my search to output results to separate rows based on multiple values? on Splunk Search. 05-26-2015 12:03 PM
- Posted Re: How to edit my search to output results to separate rows based on multiple values? on Splunk Search. 05-21-2015 02:48 PM
- Posted Re: How to edit my search to output results to separate rows based on multiple values? on Splunk Search. 05-21-2015 11:19 AM
- Posted Re: How to edit my search to output results to separate rows based on multiple values? on Splunk Search. 05-20-2015 05:03 PM
- Posted How to edit my search to output results to separate rows based on multiple values? on Splunk Search. 05-20-2015 03:58 PM
- Tagged How to edit my search to output results to separate rows based on multiple values? on Splunk Search. 05-20-2015 03:58 PM
- Tagged How to edit my search to output results to separate rows based on multiple values? on Splunk Search. 05-20-2015 03:58 PM
- Tagged How to edit my search to output results to separate rows based on multiple values? on Splunk Search. 05-20-2015 03:58 PM
- Tagged How to edit my search to output results to separate rows based on multiple values? on Splunk Search. 05-20-2015 03:58 PM
Topics I've Started
Subject | Karma | Author | Latest Post |
---|---|---|---|
0 | |||
0 | |||
0 |
06-16-2015
10:44 AM
Thanks for the help. I went with the first answer as it was what I was looking for.
... View more
06-16-2015
10:44 AM
Thanks this is what I needed.
... View more
06-16-2015
10:44 AM
Thanks this gives me the total failed as count. I can use this as well for another report.
... View more
06-15-2015
05:05 PM
Hi -
I have two searches that have the same fields exactly but from different sources.
I would like to join and sum the results and output
The searches:
index="atti" sourcetype="strongmail" source="/data1/strongmail/log/strongmail-retryfailed.log" mailingclass="smtpvhost1.yp.com"|stats count as NumberFailed by MailingId,Bouncetype
MailingId, Bouncetype, NumberFailed
12121,2004,2
12058,3004,4
index="atti" sourcetype="strongmail" source="/data1/strongmail/log/strongmail-failed.log" mailingclass="smtpvhost1.yp.com" |stats count as NumberFailed by MailingId,Bouncetype
MailingId, Bouncetype, NumberFailed
12121,2004,4
12058,3004,6
They return exactly as you see the same columns, I want combine(Sum) the results and output:
MailingId, Bouncetype, NumberFailed
12121,2004,6
12058,3004,10
Thanks.
... View more
06-12-2015
10:20 AM
Thank you for your help.
I was curious what to do when the second search does not have a common field to join on and ommitting those results.
So I specifically want to output when there is an actual join with both fields for the two searches.
Again appreciate the help.
... View more
06-10-2015
06:20 PM
Hi - I would like to join two logs and get specific result as table. I want to join by two common fields. Been working on getting this all day and need help.
so I have log 1 as below and want these values in a table
index="atti" sourcetype="strongmail" source="/data1/strongmail/log/strongmail-device-category.log" | table DateStamp UserId
mailingid ttype DeviceInfo
I have log 2
index="atti" sourcetype="strongmail" source="/data1/strongmail/log/strongmail-success.log"
The common fields I want to join by mailingid,UserId.
In this second log, I want to only return the field EMAIL
In the end I need including the first logs output and second logs output in a table
So looking for this
DateStamp UserId EMAIL mailingid ttype DeviceInfo
Thanks for any help, if more info is needed, I will gladly input them in this forum
... View more
05-26-2015
12:03 PM
Thanks this was a huge help.
... View more
05-21-2015
02:48 PM
This might be more complicated currently the results are like below:
Consumer | Advertiser
3232 | 2323
From the initial query is there a way to get to just per row and not column. The charts are not doing the correct comparison since it is not comparing to each other.
More like:
Organization | Failed
Consumer | 3232
Advertiser | 2323
Thanks appreciate the help, my objective is to do be able to do a comparison in the end.
... View more
05-21-2015
11:19 AM
This is great. Thank you.
... View more
05-20-2015
05:03 PM
thanks for the answer ran into some issues with some parenthesis, but I got it to work, thanks so much:
index="atti" sourcetype="strongmail" source="/data1/strongmail/log/strongmail-failed.log" | stats count(eval(mailingclass=="smtpvhost1.yp.com" OR mailingclass=="smtpvhost2.yp.com" OR mailingclass=="smtpvhost3.yp.com")) as Consumer count(eval(mailingclass="smtpvhost1.adsolutions.yp.com" OR mailingclass="smtpvhost2.adsolutions.yp.com" OR mailingclass="smtpvhost3.adsolutions.yp.com")) as Advertiser
Is it easy to manipulate this into a chart to see comparisons over time?
... View more
05-20-2015
03:58 PM
Hi - I have been trying to get this search below to result in separate rows depending on the values. I have the information below:
My current search
index="atti" sourcetype="strongmail" source="/data1/strongmail/log/strongmail-failed.log" | chart count(mailingclass) as NumberFailed by mailingclass
which results in:
mailingclass NumberFailed
smtpvhost1.adsolutions.yp.com 136
smtpvhost1.yp.com 131
smtpvhost3.yp.com 124
smtpvhost2.adsolutions.yp.com 28
smtpvhost3.adsolutions.yp.com 8
smtpvhost2.yp.com 2
I want to get two rows:
first row "Consumer" where
mailingclass="smtpvhost1.yp.com" OR mailingclass="smtpvhost2.yp.com" OR mailingclass="smtpvhost3.yp.com"
second row "Advertiser" where
mailingclass="smtpvhost1.adsolutions.yp.com" OR mailingclass="smtpvhost2.adsolutions.yp.com" OR mailingclass="smtpvhost3.adsolutions.yp.com"
Now I want to only have two total rows. an example would be something like this:
ORGANIZATION Failed
Consumer 172
Advertiser 257
Any help would be great, this is so much easier in SQL, I am having issues all day in SPLUNK. Thanks.
... View more