Splunk Search

how to write query to show only failure records from the following query with field filter is Applicationstatus_MFT!="Success"

Malliv
New Member

index=axway* sourcetype=":messages" SENDERROUTINGID="KNPROD" |stats count by PRODUCTIONFILENAME|fields - count |rename PRODUCTIONFILENAME as FileName |join type=left FileName [search index=axway APPLICATION="CRD_3PL_TO_S4_GOODSRCPT" STATE=* | eval temp=split(FILENAME,"/")| eval count=mvcount(temp)| eval FileName=mvindex(temp,-1) |eval status=if(STATE like "%COMPLETE%" ,"Success","Failure") |stats latest(status) as status by APPLICATION FileName |stats count(eval(status="Failure")) as FailureCount by FileName APPLICATION status |replace CRD_3PL_TO_S4_GOODSRCPT
WITH "IDD_CRD_SCS_022" IN APPLICATION |rename APPLICATION as InterfaceID ] |eval Applicationstatus_MFT=if(status="_", "Failure","Success") |table InterfaceID FileName Applicationstatus_MFT |stats count(FileName) as FileVolume count(eval(Applicationstatus_MFT!="Success")) as FailFileCount by InterfaceID Applicationstatus_MFT

Tags (1)
0 Karma

kmaron
Motivator

You can just add | search ApplicationStatus_MFT!="Success" after your eval that creates Applicationstatus_MFT.

Though if you area only showing failures you may be able to remove some of the other pieces from your query.

0 Karma

Malliv
New Member

When I run with the above command :I got this message "no results found yet". Right now I dont have failed records so should I trust this query as correct?

0 Karma
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...