Hi,  I need help in a splunk search.  My requirement is get the stats for failed and successful count along with the percentage of Failed and  Successful  and at last I would need to fetch the stats only when the failed % is > 10 % My query works fine  until the below index=abcd | eval status= case(statuscode < 400, "Success", statuscode > 399,"Failed") | stats count(status) as TOTAL  count(eval(status="Success")) as Success_count  count(eval(status="Failed")) as Failed_count  by Name, URL | eval Success%= ((Success_count /TOTAL)*100) | eval Failed%= ((Failed_count /TOTAL)*100) The above works and I get the table with Name URL TOTAL  Success_count   Failed_count   Success% Failed% Now, when I add the below to the above query, It fails  | where Failed% > 10 How do I get the failed% > 10 with the above table. Please assist ... View more

Hi, I want to create a splunk table using multiple fields. Let me explain the scenario I have the following fields Name Role (multiple roles will exist for each name) HTTPrequest (There are multiple response as 2**,3**,4** and 5**) My final output  should be when the query is ran, It should the group the data in the below format for every day Date Name Role Success Failed  Total Failed % 01-Jan-23 Rambo Team lead 100 0 100 0 01-Jan-23 Rambo Manager 100 10 110 10 01-Jan-23 King operator 2000 100 2100 5 02-Jan-23 King Manager 100 0 100 0 03-Jan-23 cheesy Manager 100 10 110 10 04-Jan-23 cheesy Team lead 4000 600 4600 15     So, What I tried is  index=ABCD | bucket _time span=1d | eval status=case(HTTPrequest < 400,"Success",HTTPrequest > 399,"Failed" ) | stats count by _time Name Role status This works something as below but I need the success and failure  in to 2 seperate columns as I have shown above and also I need to add the failed % and total Date Name Role HTTPStatus COUNT 01-Jan-23 Rambo Team lead Success 100 01-Jan-23 Rambo Team lead Failed 0 01-Jan-23 Rambo Manager Success 100 01-Jan-23 Rambo Manager Failed 10 01-Jan-23 King operator Success 2000 01-Jan-23 King operator Failed 200 02-Jan-23 King Manager Success 10 03-Jan-23 cheesy Manager Success 300 04-Jan-23 cheesy Team lead Success 400   I used the chart count over X by Y but this allows me to use only 2 fields and not more than 2 Please could you suggest me on how to get this sorted.  ... View more

Hi, I want to create a table in the below format and provide the count for them. I have multiple fields in my index and I want to create a table(similar to a excel pivot) using three fields App Name, Response code and Method  index=abcd  | chart count  over App Name by Response code  --> Above works for me but I can create a table only using 2 fields.  How to create a table something as below format  with 3 fields or more than 3. Please could you help.  APP NAME RESPONSECODE RESPONSECODE RESPONSECODE 200 400 400 GET POST PATCH GET POST PATCH GET POST PATCH APP1                   APP2                   APP3                   APP4                   APP5                   APP6                   ... View more

Hi ,  Below is my raw data  { timestamp: 2023-09-10 Version:1 Kubernetes.namespace: X Kubernetes.node: Y App_id:12345 Host: server.ms.com Log:  21:46:32.268 [[Runtime].uber.471: [dasda-dasf-fasfs-import-1.0.0].vmstats.com] INFO net.das.com - ProcessCPUload=2.39| SystemCPUload=2.55|Initial memory=1.00| Usedheapmemory=0.70|Maxheap memory=0.95|commited_memory=0.95 S_sourcetype=x Source=lkms } Now, If query as index=123 | table log --> I get the complete data in the log field but my aim to create a table with columns as  ProcessCPUload, SystemCPUload, Usedheapmemory, Maxheap memory, commited_memory with their respective values.  Could you help on how could I achieve this please ... View more