Splunk Search

Add results depending on different fields

BaptVe
Path Finder

Hello,

I'm looking to add the results of a count from different fields in one for a table:

 index=XXXX sourcetype="XXXXXX" type=ERROR errorType="*" OR errorType2="*" OR NPE="*" | stats count by errorType

When I run this search, I only get the stats count for the errorType, but I'd like to add the count for errorType2 and NPE and make a table with all of these results.

The table should looks like this:

Name of Error          Count

navigation.Error       7896  
navigation.ErrorMenu   1780  
operation.Error        177  
validation.Error       96  

where, for example, navigation comes from errorType, operation comes errorType2, ...

Thanks for your help!

0 Karma

BaptVe
Path Finder

Hello,

Thanks for you help everyone, i didn't try your queries because i start looking on another way to do the job :
I had trouble at the beginning with my logs (they were very different) so i create multiple field to match them all and tried to coalesce them all.

But finally i found a way to create better field and make my errorType & errorType2 match in one field !
I had to work a little bit on the ReGex and delete the old field i create so i can't try your queries !

I apologize for the loss of time and thanks you all for your help,
Maybe this queries will be useful for someone else !

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Another simple option would be to use coalesce command

index=XXXX sourcetype="XXXXXX" type=ERROR errorType="*" OR errorType2="*" OR NPE="*" | eval errorType=coalesce(errorType, errorType2, NPE)| stats count by errorType

http://docs.splunk.com/Documentation/Splunk/6.4.0/SearchReference/CommonEvalFunctions

woodcock
Esteemed Legend

If mutually-exclusive, like this:

index=XXXX sourcetype="XXXXXX" type=ERROR errorType="*" OR errorType2="*" OR NPE="*" | eval errorType = case(
   isnotnull(errorType), "errorType",
   isnotnull(errorType2), "errorType2",
   isnotnull(NPE), "NPE",
   true(), "ERROR!")
| stats count AS "Name of Error" BY errorType

Otherwise, like this:

index=XXXX sourcetype="XXXXXX" type=ERROR errorType="*" OR errorType2="*" OR NPE="*" | fillnull value="NULL" errorType errorType2 NPE | stats count AS "Name of Error" BY errorType errorType2 NPE

The other answers skip fillnull and without this, you will drop events (try it and you will see).

woodcock
Esteemed Legend

Actually, the first option should be this:

index=XXXX sourcetype="XXXXXX" type=ERROR errorType="*" OR errorType2="*" OR NPE="*" | eval errorType=coalesce(errorType, errorType2, NPE) | stats count AS "Name of Error" BY errorType
0 Karma

BaptVe
Path Finder
index=XXXX sourcetype="XXXXXX" type=ERROR errorType="*" OR errorType2="*" OR NPE="*" | rename errorType2 AS errorType | rename NPE AS errorType | stats count by errorType

==> Only keep the results of NPE.

And others solution you give me didnt work :
They only keep a part of the results !

Perhpas should i search with append / join / appendcols / ...

Still searching for an answer, thanks for your help !

0 Karma

jkat54
SplunkTrust
SplunkTrust

Or this:

   index=XXXX sourcetype="XXXXXX" type=ERROR errorType="*" OR errorType2="*" OR NPE="*" | rename errorType2 AS errorType NPE AS errorType | stats count by errorType | rename errorType AS "Name of Error"

NOUMSSI
Builder

Hi,
try this:

index=XXXX sourcetype="XXXXXX" type=ERROR errorType="*" OR errorType2="*" OR NPE="*" | stats count by errorType, errorType2, NPE
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...