Hello everyone!
My data have this form
I'm trying to make table in splunk, that will aggregate data to next format:
name from to Status Total_Success Total_fail
KFI.Database perun1 10.621.20.32 success 15 0
But my search don't work ( server sent me JSON file)
source="tcp:8080" index="qfi_sandbox_business"
| spath
| rename message AS condition
| rename message AS to
| eval a=mvzip(Type,condition)
| eval b=mvzip(environment,condition)
| eval x=mvzip(a,b)
| mvexpand x
| eval x=split(x, ",")
| eval condition=mvindex(x,1)
| eval to=mvindex(x,2)
| eval name=mvindex(x,3)
| chart count as total over name by MESSAGE="*SUCCESS*"
( if i start search without capital letters ( by MESSAGE="SUCCESS") , its run perfectly, but count all event, when I want count separately FAIL and SUCCESS. When i start in that combination it show a error )
Also I have little bit another search:
source="tcp:8080" index="qfi_sandbox_business"
| spath
| rename message AS condition
| rename message AS condition2
| eval a=mvzip(Type,condition)
| eval b=mvzip(environment,condition)
| eval x=mvzip(a,b)
| mvexpand x
| eval x=split(x, ",")
| eval condition=mvindex(x,1)
| eval condition2=mvindex(x,2)
| eval name=mvindex(x,3)
| table name, host, condition2, condition
which parse JSON string (every time in different way) and produce table
So, how to combine that two search and count success and fail ?
... View more