"How are these transactions linked together... by a field called "ID"? If so.. just build them with the field ID, and then use one of the MV commands to extract a field with success or failure in it. Paste some samples and…"
The dojo of Splunk. Learn, share, teach, mentor.
Videos
Latest Activity
Nikita posted a discussionCount failures and success via transaction
Hi,I'm a new in Splunk so sorry for the stupid questions.I want to calculate failures in logs.For example we have request log and response log."request" OR ("fail" OR "response") |transaction startsWith=("request") endsWith=("fail" OR "response") maxpause=5s keepevicted=false maxspan=25s id |eval Failure=if(searchmatch("fail"),1,0)| eval Success=if(searchmatch("response"),1,0) | stats count(Failure) as FailureCount, count(Success) as SuccessCount | table FailureCount SuccessCountThat query…See More
sum fields in same event
I need to sum fields by other fields in the same event.
Here is an example event:
_time somefieldname somefieldvalue
6/26/10 3:09:23.000 AM A 1
A 1
B 2
B 2
How could I sum the values in somefieldvalue by somefieldname, then graph the sum. IE '| timechart span=1m avg(somefieldvalue) by somefield.'
For this event on the timechart A would equal to 2 and B would equal to 4.
I'm at a loss. Any help is appreciated.
Thanks,
Joe
Views: 80
Replies to This Discussion
-
Permalink Reply by Michael Wilde on -
Have you considered using " | makemv" to turn that event in to a multi-value field, so you end up with a=1 a=2 b=2 b=2 and then do an | eval a = a+a | eval b = b + b
© 2012 Created by Michael Wilde.
