Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

stats count by multiple values with conditions

ashishv
Explorer
‎11-27-2013 11:11 AM

Hello All,

i have the following query with results:

Query:
index=X1 OR index=X2 OR index=X3 OR index=X4| stats count by result_action

result_action count

Failure 356
Success 591
Failure with condition1 5
Success with condition1 58088
Check Resource 47245
Data Store Error 4
Read User Properties 7381
User Token Created 38737
User Token Failed 77818

I would like to collapse all result_actions and group them as follows.

Success= value
Failure=value
Total=Value

Could anyone help here

Thanks
Ashish

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

delink
Communicator
‎11-27-2013 11:18 AM

The easiest thing to do here would be to create tags for each value with your desired groups above. Setting the tag "success" on result_action="Success with condition" and so on.

You could then write a search like:



index=X1 OR index=X2 OR index=X3 OR index=X4| stats count by tag::result_action

Hope that helps!

View solution in original post

Reply
Solved! Jump to solution

ashishv
Explorer
‎11-27-2013 11:19 AM

if there is a Fail in result_action it is a FAILED & if Succ in result_action it is a SUCCESS.

thnx

0 Karma
Reply
Solved! Jump to solution
Solution

delink
Communicator
‎11-27-2013 11:18 AM

The easiest thing to do here would be to create tags for each value with your desired groups above. Setting the tag "success" on result_action="Success with condition" and so on.

You could then write a search like:



index=X1 OR index=X2 OR index=X3 OR index=X4| stats count by tag::result_action

Hope that helps!

Reply
Solved! Jump to solution

delink
Communicator
‎11-27-2013 12:00 PM

Excellent. If you wouldn't mind voting up the answer and selecting it as the correct answer, I would appreciate it.

0 Karma
Reply
Solved! Jump to solution

ashishv
Explorer
‎11-27-2013 11:58 AM

Yep that worked, thnx…

Ashish

0 Karma
Reply
Solved! Jump to solution

delink
Communicator
‎11-27-2013 11:41 AM

No problem at all. In the search interface, you will want to go into the field picker and make result_action a selected field. It will then show up under each event in the search results. From there, you can click on the result_action=value in an event and you will see a Tag option there. Just add "success" or "failure" for each of the possible result_action values, then the search provided above will work.

Reply
Solved! Jump to solution

ashishv
Explorer
‎11-27-2013 11:36 AM

Sorry, newbie here… not sure how to add Tags.

0 Karma
Reply
Solved! Jump to solution

delink
Communicator
‎11-27-2013 11:34 AM

Did you go through and add all of the tags on various values of result_action? I was able to run a command like this on my own Splunk instance and count results by tags rather than the original values.

0 Karma
Reply
Solved! Jump to solution

ashishv
Explorer
‎11-27-2013 11:24 AM

this didnt work i got a "No result found"

0 Karma
Reply
Solved! Jump to solution

lukejadamec
Super Champion
‎11-27-2013 11:14 AM

Which fields are you counting as failures, and which are successes?

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...