Hello,
I'm looking to add the results of a count from different fields in one for a table:
index=XXXX sourcetype="XXXXXX" type=ERROR errorType="*" OR errorType2="*" OR NPE="*" | stats count by errorType
When I run this search, I only get the stats count for the errorType, but I'd like to add the count for errorType2 and NPE and make a table with all of these results.
The table should looks like this:
Name of Error Count
navigation.Error 7896
navigation.ErrorMenu 1780
operation.Error 177
validation.Error 96
where, for example, navigation comes from errorType, operation comes errorType2, ...
Thanks for your help!
Hello,
Thanks for you help everyone, i didn't try your queries because i start looking on another way to do the job :
I had trouble at the beginning with my logs (they were very different) so i create multiple field to match them all and tried to coalesce them all.
But finally i found a way to create better field and make my errorType & errorType2 match in one field !
I had to work a little bit on the ReGex and delete the old field i create so i can't try your queries !
I apologize for the loss of time and thanks you all for your help,
Maybe this queries will be useful for someone else !
Another simple option would be to use coalesce command
index=XXXX sourcetype="XXXXXX" type=ERROR errorType="*" OR errorType2="*" OR NPE="*" | eval errorType=coalesce(errorType, errorType2, NPE)| stats count by errorType
http://docs.splunk.com/Documentation/Splunk/6.4.0/SearchReference/CommonEvalFunctions
If mutually-exclusive, like this:
index=XXXX sourcetype="XXXXXX" type=ERROR errorType="*" OR errorType2="*" OR NPE="*" | eval errorType = case(
isnotnull(errorType), "errorType",
isnotnull(errorType2), "errorType2",
isnotnull(NPE), "NPE",
true(), "ERROR!")
| stats count AS "Name of Error" BY errorType
Otherwise, like this:
index=XXXX sourcetype="XXXXXX" type=ERROR errorType="*" OR errorType2="*" OR NPE="*" | fillnull value="NULL" errorType errorType2 NPE | stats count AS "Name of Error" BY errorType errorType2 NPE
The other answers skip fillnull
and without this, you will drop events (try it and you will see).
Actually, the first option should be this:
index=XXXX sourcetype="XXXXXX" type=ERROR errorType="*" OR errorType2="*" OR NPE="*" | eval errorType=coalesce(errorType, errorType2, NPE) | stats count AS "Name of Error" BY errorType
index=XXXX sourcetype="XXXXXX" type=ERROR errorType="*" OR errorType2="*" OR NPE="*" | rename errorType2 AS errorType | rename NPE AS errorType | stats count by errorType
==> Only keep the results of NPE.
And others solution you give me didnt work :
They only keep a part of the results !
Perhpas should i search with append / join / appendcols / ...
Still searching for an answer, thanks for your help !
Or this:
index=XXXX sourcetype="XXXXXX" type=ERROR errorType="*" OR errorType2="*" OR NPE="*" | rename errorType2 AS errorType NPE AS errorType | stats count by errorType | rename errorType AS "Name of Error"
Hi,
try this:
index=XXXX sourcetype="XXXXXX" type=ERROR errorType="*" OR errorType2="*" OR NPE="*" | stats count by errorType, errorType2, NPE