Actual script:
index=tibco host=tus3eaiapppin22 OR host=tus3eaiapppin19 InterfaceName="CustAcctSvcAsync*" OR InterfaceName="CCSubscrAsyncSvc*" OR InterfaceName="CDMSvc*"
| eval ("status":"SUCCESS") OR ("ended successfully")="Success"
| eval (SYS_ERR_27001) OR (SYS_ERR_27002) OR (SYS_ERR_27004) OR (SYS_ERR_27011) OR (SYS_ERR_27012)="Errors"
| stats count as Success by InterfaceName, host
| append [search index=tibco host=tus3eaiapppin22 OR host=tus3eaiapppin19 InterfaceName="CustAcctSvcAsync*" OR InterfaceName="CCSubscrAsyncSvc*" OR InterfaceName="CDMSvc*" [error]
| stats count as Errors by InterfaceName, host ]
| stats values(Success) as Success, values(Errors) as Errors by InterfaceName, host
| fillnull Success, Errors | addtotals | eval "Success%"=round((Success/Total)*100,2)
| table InterfaceName, Success, Errors | sort - Success%
I also noticed that the query is only giving me the count of on Success... If I change the | stats count as Success by InterfaceName, host to | stats count as Errors by InterfaceName, host the same data is then moved to the errors column... 😕
... View more