Splunk Dev

Stats on the count of Information and critical logs in Splunk

macadminrohit
Contributor

We have logs in splunk with field level=ERROR OR INFORMATION OR CRITICAL , we want to do a stats on the count of (ERROR OR CRITICAL ) events and INFORMATION events.

Basically we want to see the ratio of INFORMATION events by NON INFORMATION events per app.

Tags (1)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

You base search is wrongly grouped for level field filter if it's same as what you posted in the question. All level field fields should be applied with ORed list as you want to select events with all three values of field level. You current search looks for level=Information AND level=Error or level=Critical and it's not possible as level can't have two values in the same event. Try like this

index=servers sourcetype=json app=* (level=Error OR level=Critical OR level=Information) | stats count(eval(if(level!="Information",1,null))) as ErrorCount count(eval(if(level="Information",1,null))) as InfoCount by hdr.appName

Another option

 index=servers sourcetype=json app=* (level=Error OR level=Critical OR level=Information) | chart count over hdr.appName by level
| rename Information as InfoCount | eval ErrorCount=Error+Critical | table hrd.appName ErrorCount InfoCount

View solution in original post

0 Karma

somesoni2
SplunkTrust
SplunkTrust

You base search is wrongly grouped for level field filter if it's same as what you posted in the question. All level field fields should be applied with ORed list as you want to select events with all three values of field level. You current search looks for level=Information AND level=Error or level=Critical and it's not possible as level can't have two values in the same event. Try like this

index=servers sourcetype=json app=* (level=Error OR level=Critical OR level=Information) | stats count(eval(if(level!="Information",1,null))) as ErrorCount count(eval(if(level="Information",1,null))) as InfoCount by hdr.appName

Another option

 index=servers sourcetype=json app=* (level=Error OR level=Critical OR level=Information) | chart count over hdr.appName by level
| rename Information as InfoCount | eval ErrorCount=Error+Critical | table hrd.appName ErrorCount InfoCount
0 Karma

macadminrohit
Contributor

I changed my search to exclude the level, still it is not showing any values other than 0. But your second search worked well.

0 Karma

macadminrohit
Contributor

I wrote a query like this :

index=servers sourcetype=json app=* level=Error OR level=Critical level=Information | stats count(eval(if(level!="Information",1,null))) as ErrorCount count(eval(if(level="Information",1,null))) as InfoCount by hdr.appName

but it displays 0 for all the counts of ErrroCount and InfoCount, whereas i had the matching events.

0 Karma

macadminrohit
Contributor

changed it to stats count(eval(level!="Information")) as ErrorCount count(eval(level="Information")) as InfoCount by appName, still showing 0 for everything.

0 Karma

493669
Super Champion

can you try this:

index=servers sourcetype=json|stats count(eval(level!="Information")) as ErrorCount count(eval(level="Information")) as InfoCount by appName
0 Karma

macadminrohit
Contributor

still returns 0 for everything.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...