Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to get overall stats if in a single log a particular event is missing?

Matinrokz
New Member
‎02-20-2018 03:10 AM

Hello There,

I am trying to get an overall stats for all the logs with a particular sourcetype, however in some sourcetye a particular event is missing from which i am applying a filter, for an example there are 10 (2 where test from my side, 5 success and 3 fail), if i have to filter out test there is only 1 way i.e. by locator now problem is for 'failure' locator does not get fired, hence if I apply a filter to exclude test, I am not getting stats of Failure as well, can anyone please help me how can i get overall stats by only excluding test and getting insights on both Success and fail?

below is the script which i am using.

sourcetype=book_resptime (locator!="TST*" OR locator!="TEST*") |
| stats count(book_success) AS Book, count(eval(book_success=0)) AS BookFail by connector

Thanks

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-20-2018 04:21 AM

Thank you!

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-20-2018 03:52 AM

Please don't tag questions with an app if they're not related to that app.

0 Karma
Reply

Matinrokz
New Member
‎02-20-2018 04:03 AM

Removed the app tag

0 Karma
Reply

493669
Super Champion
‎02-20-2018 03:18 AM

can you try like:

sourcetype=book_resptime (locator!="TST*" OR locator!="TEST*") |fillnull locator value=0| stats count(book_success) AS Book, count(eval(book_success=0)) AS BookFail by connector
0 Karma
Reply

Matinrokz
New Member
‎02-20-2018 03:26 AM

Hey Thanks for that, for Bookfail locator will not get fired, so it's not working.

0 Karma
Reply

493669
Super Champion
‎02-20-2018 03:28 AM

so by using fillnull you can fill null values...does this solves your issue?

0 Karma
Reply

Matinrokz
New Member
‎02-20-2018 03:30 AM

no, it's not working.

0 Karma
Reply

493669
Super Champion
‎02-20-2018 03:47 AM

if there are only 3 values then firstly you can try (locator="success" OR locator="fail")
then can you provide sample output of events

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-20-2018 03:13 AM

Is this related to the Regex IDS app?

0 Karma
Reply

Matinrokz
New Member
‎02-20-2018 03:44 AM

Not exactly, but if regex IDS can help to get that desired answer will install that.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...