Hello All,
i have the following query with results:
Query:
index=X1 OR index=X2 OR index=X3 OR index=X4| stats count by result_action
result_action count
Failure 356
Success 591
Failure with condition1 5
Success with condition1 58088
Check Resource 47245
Data Store Error 4
Read User Properties 7381
User Token Created 38737
User Token Failed 77818
I would like to collapse all result_actions and group them as follows.
Success= value
Failure=value
Total=Value
Could anyone help here
Thanks
Ashish
The easiest thing to do here would be to create tags for each value with your desired groups above. Setting the tag "success" on result_action="Success with condition" and so on.
You could then write a search like:
index=X1 OR index=X2 OR index=X3 OR index=X4| stats count by tag::result_action
Hope that helps!
if there is a Fail in result_action it is a FAILED & if Succ in result_action it is a SUCCESS.
thnx
The easiest thing to do here would be to create tags for each value with your desired groups above. Setting the tag "success" on result_action="Success with condition" and so on.
You could then write a search like:
index=X1 OR index=X2 OR index=X3 OR index=X4| stats count by tag::result_action
Hope that helps!
Excellent. If you wouldn't mind voting up the answer and selecting it as the correct answer, I would appreciate it.
Yep that worked, thnx…
Ashish
No problem at all. In the search interface, you will want to go into the field picker and make result_action a selected field. It will then show up under each event in the search results. From there, you can click on the result_action=value in an event and you will see a Tag option there. Just add "success" or "failure" for each of the possible result_action values, then the search provided above will work.
Sorry, newbie here… not sure how to add Tags.
Did you go through and add all of the tags on various values of result_action? I was able to run a command like this on my own Splunk instance and count results by tags rather than the original values.
this didnt work i got a "No result found"
Which fields are you counting as failures, and which are successes?