Splunk Search

Combining two search stats

adityapavan18
Contributor

Hi,

I have 2 search queries.

sourcetype="zzz" Accepted | stats count as SuccessCases

sourcetype="zzz" Rejected | stats count as FailureCases

Now i need to find the rqtion of both.How ca i do that.Can anyone help me here

Tags (3)
0 Karma
1 Solution

kristian_kolb
Ultra Champion

Hi,

If Accepted and Rejected are extracted into a field, e.g. zzz_status or something similar, the following search might do the trick.

UPDATED AGAIN AGAIN: If you just want to count the occurence of success/fail, and the events within the log contain the string mentioned in your comment ( <ns:emailaccepted blah> or <ns:emailrejected blah blah> ), the search could be altered into;

sourcetype="zzz" | rex field=_raw "<ns:email(?<zzz_status>[^ ]+)| stats count(eval(zzz_status=="accepted")) AS Success count(eval(zzz_status=="rejected")) AS Fail | eval SuccessRatio=Success/Fail | table Success, Fail, SuccessToFailRatio

The rex statement above will find whatever is between "<ns:email" and the first blank space (" "), and call it zzz_status. Beware though that this would also match on <ns:email-server, <ns:emailaccount, <ns:emailAddress etc etc, so you might want to watch your step there...

hth,

Kristian

View solution in original post

kristian_kolb
Ultra Champion

Hi,

If Accepted and Rejected are extracted into a field, e.g. zzz_status or something similar, the following search might do the trick.

UPDATED AGAIN AGAIN: If you just want to count the occurence of success/fail, and the events within the log contain the string mentioned in your comment ( <ns:emailaccepted blah> or <ns:emailrejected blah blah> ), the search could be altered into;

sourcetype="zzz" | rex field=_raw "<ns:email(?<zzz_status>[^ ]+)| stats count(eval(zzz_status=="accepted")) AS Success count(eval(zzz_status=="rejected")) AS Fail | eval SuccessRatio=Success/Fail | table Success, Fail, SuccessToFailRatio

The rex statement above will find whatever is between "<ns:email" and the first blank space (" "), and call it zzz_status. Beware though that this would also match on <ns:email-server, <ns:emailaccount, <ns:emailAddress etc etc, so you might want to watch your step there...

hth,

Kristian

RicoSuave
Builder

you can use the xmlkv command to extract those key pairs.

0 Karma

adityapavan18
Contributor

textMessage sent:
ns:Response
ns:RID1234/ns:RID
ns:RQIDD201109191/ns:RQID

same way

textMessage sent :
ns:Response
ns:RID1234/ns:RID
ns:RQIDD201109191/ns:RQID

the logging happens where the actual payload starting with <ns:EmailAccepted but that is enclosed under TEXT

success scenarios have EmailAccepted

0 Karma

kristian_kolb
Ultra Champion

Could you submit a sample event or two. I believe that rex is the answer to your question.

0 Karma

adityapavan18
Contributor

Thanks Kristian.

But now i am stuck with one other problem, when i said Accepted (it is a part of XML tag), can you help how to extract XML tag name

Like my xml's having tags *Accepted are success scenario logs [eg: or ]

so i need to count all events with EmailAccepted in XML's

and then take a ratio

0 Karma

adityapavan18
Contributor

sorry i meant ratio of SuccessCases/FailureCases

0 Karma

Ayn
Legend

"rqtion" ?

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...