Hello all,
I ran the below query
...|stats count by message_type
I got the below result
message_type count
a_req 2
a_res 1
b_req 4
b_res 2
I ran a query to combine the a_req and a_res total
| rex field=EWS_MESSAGE_QUALIFIER "(?<MESSAGE_TYPE>\w+)_" |chart count by MESSAGE_TYPE
.Which combines both the a_req and a_res
message_type count
a 3
b 6
Now i am trying to categorize into success and failure based on some codes , below is the query i ran
| rex field=EWS_MESSAGE_QUALIFIER "(?<MESSAGE_TYPE>\w+)_"
|eval category=if((CODE="0" OR CODE="null") AND (CODE1="000" OR CODE1="null") AND (CODE2="000" OR CODE2="null") ,"Success","Failure")
|chart count by MESSAGE_TYPE,category | addcoltotals labelfield=total
|fillnull value=TOTAL |fields- total
but The above search is not considering the null values of the responses codes as success.How can this be done ?
thanks in advance
Use the isnull function to compare a field against null.
your base search | rex field=EWS_MESSAGE_QUALIFIER "(?<MESSAGE_TYPE>\w+)_"
|eval category=if((CODE="0" OR isnull(CODE)) AND (CODE1="000" OR isnull(CODE)) AND (CODE2="000" OR isnull(CODE)) ,"Success","Failure")
|chart count by MESSAGE_TYPE,category | addcoltotals labelfield=total
|fillnull value=TOTAL |fields- total
Also, check if the conditions are correct, I think the order of conditios. IMO, it should be like this
your base search | rex field=EWS_MESSAGE_QUALIFIER "(?<MESSAGE_TYPE>\w+)_"
|eval category=if(CODE="0" OR isnull(CODE) OR CODE1="000" OR CODE2="000" ,"Success","Failure")
|chart count by MESSAGE_TYPE,category | addcoltotals labelfield=total
|fillnull value=TOTAL |fields- total
Thanks for the reply somesh...I tried in another way I first gave a table command and then filled the null with zero and just gave the rest of the query
Hi vrmandadi,
take a look at this answer https://answers.splunk.com/answers/176466/how-to-use-eval-if-there-is-no-result-from-the-bas-1.html to get an idea how you can use eval if there is no result in the base search.
Hope this helps ...
cheers, MuS
Well mine is a different scenario ,I got the result and done in another way ,I first gave a table command and then filled the null with zero and just gave the rest of the query