Hi,
My Log file has lot of error codes like ABC-12, ABC-15, ABC-28, ABC-43.... etc., Those errors may be duplicated. I have eliminated the duplicate with DEDUP as below.
In case of some transaction, occurrence on any DB error (which is ABC-15) in turn returns ABC-28 as per existing code behavior. So, whenever ABC-15 will occur ABC-28 is also getting printed in the logs. Hence we are getting wrong counts in Splunk for ABC-28. This deviation has to be corrected by ABC-28=(ABC-15 counts - ABC-28) OR ABC-28=(ABC-28 – ABC-15)(whichever is greater).
So the difference between the number of error code ABC-15 & ABC-28 will be the final value count for error code ABC-28
The below search query gives me the Error code counts for all the error codes except ABC-15 in pie chart. but the value of ABC-28 should have only the difference. how to get that?
source=my_app_log_prod_node* | rex field=_raw "(?
Try this
source=my_app_log_prod_node* | rex field=_raw "(?<transaction_id>(ajp-\d+\.\d+\.\d+\.\d+-\d+-\d+))sFinalsDBsErrorCode:(?<final_db_errorcode>\w+-\d+)" | dedup Transaction_ID Final_DB_Errorcode | eventstats count(eval(Final_DB_Errorcode="ABC-15")) as CountABC15| search Final_DB_Errorcode!=ABC-15 | stats count first(CountABC15) as CountABC15 by Final_DB_Errorcode | eval Final_DB_Errorcode=if(Final_DB_Errorcode="ABC-28",if(count>CountABC15,count-CountABC15,CountABC15-count),Final_DB_Errorcode)| eval Final_DB_Errorcode=Final_DB_Errorcode. "(Count : " .count + ")"