- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- stats count by multiple values with conditions
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello All,
i have the following query with results:
Query:
index=X1 OR index=X2 OR index=X3 OR index=X4| stats count by result_action
result_action count
Failure 356
Success 591
Failure with condition1 5
Success with condition1 58088
Check Resource 47245
Data Store Error 4
Read User Properties 7381
User Token Created 38737
User Token Failed 77818
I would like to collapse all result_actions and group them as follows.
Success= value
Failure=value
Total=Value
Could anyone help here
Thanks
Ashish
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The easiest thing to do here would be to create tags for each value with your desired groups above. Setting the tag "success" on result_action="Success with condition" and so on.
You could then write a search like:
index=X1 OR index=X2 OR index=X3 OR index=X4| stats count by tag::result_action
Hope that helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
if there is a Fail in result_action it is a FAILED & if Succ in result_action it is a SUCCESS.
thnx
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The easiest thing to do here would be to create tags for each value with your desired groups above. Setting the tag "success" on result_action="Success with condition" and so on.
You could then write a search like:
index=X1 OR index=X2 OR index=X3 OR index=X4| stats count by tag::result_action
Hope that helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Excellent. If you wouldn't mind voting up the answer and selecting it as the correct answer, I would appreciate it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yep that worked, thnx…
Ashish
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No problem at all. In the search interface, you will want to go into the field picker and make result_action a selected field. It will then show up under each event in the search results. From there, you can click on the result_action=value in an event and you will see a Tag option there. Just add "success" or "failure" for each of the possible result_action values, then the search provided above will work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, newbie here… not sure how to add Tags.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you go through and add all of the tags on various values of result_action? I was able to run a command like this on my own Splunk instance and count results by tags rather than the original values.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this didnt work i got a "No result found"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Which fields are you counting as failures, and which are successes?
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
