- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- splunk search giving same results in table
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
The below search is producing the same data for success and errors...
index=datapower ApplicationName="mpgw(OAuth-subscription)" "HTTP response code"
| lookup http_response_codes.csv response_code OUTPUT description
| stats count as Success by ApplicationName
| append [search index=datapower ApplicationName="mpgw(OAuth-subscription)" "HTTP response code"
| stats count as Errors by ApplicationName]
| stats values(Success) as Success, values(Errors) as Errors by ApplicationName
1) How can I make this query output the data where it needs? Do I need to create multiple lookups (one for successful and one for errors)? My http_response_codes.csv has a ton of response codes. If so, how would that search look like? Greatly appreciate the help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
index=datapower ApplicationName="mpgw(OAuth-subscription)" "HTTP response code"
| lookup http_response_codes.csv response_code OUTPUT description
| stats count(eval(match(description, "success"))) AS Success count(eval(match(description, "error"))) AS Errors BY ApplicationName
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
index=datapower ApplicationName="mpgw(OAuth-subscription)" "HTTP response code"
| lookup http_response_codes.csv response_code OUTPUT description
| stats count(eval(match(description, "success"))) AS Success count(eval(match(description, "error"))) AS Errors BY ApplicationName
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you Mr. Woodcock!
I made some minor modifications on my end but your guidance led me there. I ended up creating a new lookup csv with the status of success or fail in a separate column next to the http codes and was then able to use the above query.
Thanks again!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Be sure to Upvote any helpful answers and click Accept on the best one to close the Question and let others know what worked.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, leomedina
It looks that you should correct stats statement because now you count the same in first search and after append
1.index=datapower ApplicationName="mpgw(OAuth-subscription)" "HTTP response code"
...
| stats count as Success by ApplicationName
2.[search index=datapower ApplicationName="mpgw(OAuth-subscription)" "HTTP response code"
| stats count as Errors by ApplicationName]
but rename in different ways Success and Errors
May be you should try something like this to specify some way in first case only success and in second only errors
index=datapower ApplicationName="mpgw(OAuth-subscription)" "HTTP response code"
| lookup http_response_codes.csv response_code OUTPUT description
| search description="*success*"
| stats count as Success by ApplicationName
| append [search index=datapower ApplicationName="mpgw(OAuth-subscription)" "HTTP response code"
| lookup http_response_codes.csv response_code OUTPUT description
| search description="*error*"
| stats count as Errors by ApplicationName]
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
