how to write query to show only failure records fr...

Malliv · ‎06-22-2018

index=axway* sourcetype=":messages" SENDERROUTINGID="KNPROD" |stats count by PRODUCTIONFILENAME|fields - count |rename PRODUCTIONFILENAME as FileName |join type=left FileName [search index=axway APPLICATION="CRD_3PL_TO_S4_GOODSRCPT" STATE=* | eval temp=split(FILENAME,"/")| eval count=mvcount(temp)| eval FileName=mvindex(temp,-1) |eval status=if(STATE like "%COMPLETE%" ,"Success","Failure") |stats latest(status) as status by APPLICATION FileName |stats count(eval(status="Failure")) as FailureCount by FileName APPLICATION status |replace CRD_3PL_TO_S4_GOODSRCPT
WITH "IDD_CRD_SCS_022" IN APPLICATION |rename APPLICATION as InterfaceID ] |eval Applicationstatus_MFT=if(status="_", "Failure","Success") |table InterfaceID FileName Applicationstatus_MFT |stats count(FileName) as FileVolume count(eval(Applicationstatus_MFT!="Success")) as FailFileCount by InterfaceID Applicationstatus_MFT

kmaron · ‎06-22-2018

You can just add | search ApplicationStatus_MFT!="Success" after your eval that creates Applicationstatus_MFT.

Though if you area only showing failures you may be able to remove some of the other pieces from your query.

Malliv · ‎06-25-2018

When I run with the above command :I got this message "no results found yet". Right now I dont have failed records so should I trust this query as correct?

how to write query to show only failure records from the following query with field filter is Applicationstatus_MFT!="Success"

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM