Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to group events and extract a field when group...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kevinkuszyk
Engager
11-20-2018
06:06 AM
We have some overnight jobs that run and log out to Splunk. On top of this, we have a dashboard which groups by the job id and extracts information like start time, end time, duration etc.
The query looks a bit like this:
index=foo | stats range(_time) as duration by job-id | table job-id duration
We now want to add a status column to tell us if the job completed or had an error. If any of the events in a grouping have a log level of ERROR it should show Error, otherwise it should show Ok.
I've tried this snippet:
eval status=if(in(level, "ERROR"), "Error", "Ok")
Which is fine for evaluating on each event, but I want the grouping to show either Error or Ok depending on values in the the level field for each group.
Is this possible in Splunk, and how should I write the query?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
11-20-2018
07:18 AM
@kevinkuszyk ,
Try this ,
|stats min(eval(if(level=="ERROR","Error","Ok"))) as status by group
OR
|stats count(eval(if(level=="ERROR",1,null()))) as status by group|eval status=if(status>0,"Error","Ok")
Happy Splunking!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
11-21-2018
08:12 AM
Maybe this:
index=foo
| stats range(_time) AS duration count(eval(level="ERROR")) AS Errors BY job-id
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
11-20-2018
04:19 PM
Like this:
Your base search here
| stats count(eval(level == "ERROR")) AS errors count AS total BY group
| eval non_errors = total - errors
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
11-20-2018
07:18 AM
@kevinkuszyk ,
Try this ,
|stats min(eval(if(level=="ERROR","Error","Ok"))) as status by group
OR
|stats count(eval(if(level=="ERROR",1,null()))) as status by group|eval status=if(status>0,"Error","Ok")
Happy Splunking!
Get Updates on the Splunk Community!
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
The Transformative Power of AI and ML in Enhancing Observability
In the realm of IT operations, the ...
.conf24 | Registration Open!
Hello, hello! I come bearing good news: Registration for .conf24 is now open!
conf is Splunk’s rad annual ...
ICYMI - Check out the latest releases of Splunk Edge Processor
Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.
HEC Receiver authorization ...
