Hi All,
Apologies if this is too simple question and has been asked 100 times, But i can't seem to find the answer I'm looking for..
For the time being, I simply want to graph the number transaction status over time from a sourcetype which shows the following: "SUCCESS" "FAILED", "BLOCKED"...
However, for failed transactions, the data is coming in with failed status= "FAIL" or "FAILURE".
How can I make "FAILED = FAIL + FAILURE", and plot the status = SUCCESS & status = BLOCKED along side it?
I'm currently using the search:
sourcetype= mydata | stats count by status
As per below:
Cheers,
Craig
Try this!
sourcetype= mydata|eval status=if(status="FAIL" OR status="FAILER","FAILED",status) | stats count by status
Since Hiroshi beat me to it with eval, for completeness here is how you can do it with foreach
sourcetype= mydata
| stats count by status
| foreach status [eval <<FIELD>> = if((<<FIELD>>=="FAIL" OR <<FIELD>>=="FAILURE"),"FAILED",<<FIELD>>) ]
| stats sum(count) as count by status
See: http://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Foreach
Thanks for the reply mate.
Interested to investigate this method a little further,
When I run your command, it doesn't seem to return any results :s
interesting - it definately should!
Here's a run anywhere example:
|gentimes start=-1
| eval status="FAIL"
| stats count by status
| foreach status [eval <<FIELD>> = if((<<FIELD>>=="FAIL" OR <<FIELD>>=="FAILURE"),"FAILED",<<FIELD>>) ]
| stats sum(count) as count by status
Try this!
sourcetype= mydata|eval status=if(status="FAIL" OR status="FAILER","FAILED",status) | stats count by status
Beat me to it!
Awesome, thanks guys 🙂