Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Could you help me make a query which returns results on devices that fail and succeed?

dbcase
Motivator
‎09-26-2018 03:42 PM

Hi,

I have this query that counts the type of failure for a given device, which works just fine.

index=wholesale_app DynamicChoice Properties.index=3 buildTarget=blah product=*|stats count by Properties.args{}| appendpipe [stats count | where count=0]

The request is if the device fails and retries (could be several times) but ultimately succeeds then don't count it as a failure.

The data looks like this for a failure

{   [-] 
     Properties:    {   [-] 
         args:  [   [-] 
         CONNECTION_FAILURE 
        ]   
         category:   Event  
         index:  3  
    }   
     analyticType:   DynamicChoice  
     buildTarget:    cox    
     clientSessionId:    DZLPTNZ-XQGUW  
     product:    Converge   
}

and if it succeeds it would look like this

{   [-] 
     Properties:    {   [-] 
         args:  [   [-] 
         CONNECTED  
        ]   
         category:   Event  
         index:  2  
    }   
     analyticType:   DynamicChoice  
     buildTarget:    cox    
     clientSessionId:    DZLPTNZ-XQGUW  
     product:    Converge   
}

The client session ID is the common field. Properties.index=3 contains all the failures while Properties.index=2 contains all the successes. How would I go about doing this?

Tags (1)
0 Karma
Reply

DalJeanis
Legend
‎09-26-2018 08:50 PM

This construction...

 | stats count | where count=0

will never return anything. stats can only count what is there, so if nothing is there, it cannot be counted.

Try something like 

 index=wholesale_app DynamicChoice (Properties.index=3 OR Properties.index=2) buildTarget=blah product=*
| stats count by Properties.args{} Properties.index

I suspect you may also need to include an spath command to interpret the json before the stats command.

0 Karma
Reply

dbcase
Motivator
‎09-27-2018 08:38 AM

Hi, This query works but doesn't seem to correlate a session where it failed to connect multiple times but then succeeds

0 Karma
Reply

renjith_nair
Legend
‎09-26-2018 08:15 PM

@dbcase,

Try this if you just want failure count

index=wholesale_app DynamicChoice buildTarget=cox product=*
|stats latest(Properties.index) as StatusIndex,latest(Properties.args{}) as TypeOfFailures by clientSessionId
|where StatusIndex=3|stats count by TypeOfFailures

And try this for both success and failures

index=wholesale_app DynamicChoice buildTarget=cox product=*
|stats latest(Properties.index) as StatusIndex,latest(Properties.args{}) as TypeOfFailures by clientSessionId
|stats count(eval(if(StatusIndex==3,clientSessionId,null()))) as Failures,
       count(eval(if(StatusIndex==2,clientSessionId,null()))) as Success by TypeOfFailures
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

dbcase
Motivator
‎09-27-2018 08:34 AM

Hmmmm the success and failure query above does output a stat table but has numerics in the type of failures column and success/failures always is zero

0 Karma
Reply

renjith_nair
Legend
‎09-28-2018 05:40 AM

@dbcase,
are you getting result after 

 index=wholesale_app DynamicChoice buildTarget=cox product=*
 |stats latest(Properties.index) as StatusIndex,latest(Properties.args{}) as TypeOfFailures by clientSessionId
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

dbcase
Motivator
‎09-28-2018 08:27 AM

yep looks like this

clientSessionId StatusIndex TypeOfFailures
DZLPUTF-ALWMOVJ 15 1726
DZLQZKA-WSFXAP 15 9385
DZLTKFI-BQWWEN 13 3152
DZLUBKP-ALZFENT 2 STREAMING

0 Karma
Reply

dbcase
Motivator
‎09-28-2018 08:28 AM

ugh the formatting leaves a lot to be desired

0 Karma
Reply

renjith_nair
Legend
‎09-28-2018 07:49 PM

@dbcase, thanks for that. From the output, the last record has a type of failure as "streaming" and gives me a 1 under success since the StatusIndex is 2. So it works for the last record. 

TypeOfFailures  Failures    Success
1726    0   0
3152    0   0
9385    0   0
STREAMING   0   1

Now for others (3 out of 4), the type of failures are coming as integers. What do you have in Properties.Args? Is that field extracted from JSON and has only the string values?

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...