Kumar Dev
Reputation: 75
Splunk - Get Prefefined Outputs Based on the event count and event data
I have a query as below. The result is always predefined as -
- If the query result has 3 events and if the 3rd event has event="delivered" as value then the whole transaction needs to be returned as "COMPLETE".
- If the 3rd event is present and event!="delivered" then the status becomes "PENDING"
- If the 3rd event is not present at all, then the transaction is marked as ERROR
My Query -
index=myindex OR index=myindex2 uuid=98as786-ffe6-4de1-929y-080e99bc2e6r (status="202") OR (TransactionStatus="PUBLISHED") | append [search index=myindex2 (logMessage="Producer created new event") event="delivered" OR event="processed" serviceName="abc" [search index=myindex uuid=98as786-ffe6-4de1-929y-080e99bc2e6r AND status="SUCCESS" AND serviceName="abc" | top limit=1 headerId | fields + headerId | rename headerId as message_id]]
Result events -
Event1 - 202 Accepted
Event 2 - Adapter Success
Event 3 - delivered or error or processed
My high level dashboard should look like below -
Complete - 6378638
Pending - 2173
Error - 6356
The unique ID will be the UUID on which the count to be performed. What can be the possible way we can do this - eval ? Lookup ? not sure as I am new to splunk. Please let me know if more information is needed if I am missing something.
Upvotes: 0
Views: 410
Answers (1)
RichG
Reputation: 9916
See if this helps. The terminology in your question is a little inconsistent so you may need to adjust the field names in this query.
index=myindex OR index=myindex2 uuid=98as786-ffe6-4de1-929y-080e99bc2e6r ((status="202") OR (TransactionStatus="PUBLISHED")) OR (index=myindex2 (logMessage="Producer created new event") event="delivered" OR event="processed" serviceName="abc") (index=myindex uuid=98as786-ffe6-4de1-929y-080e99bc2e6r AND status="SUCCESS" AND serviceName="abc" )
| stats count, latest(event) as event by headerId
| eval result=case(count=3 AND event="delivered", "COMPLETE", count=3 AND event!="delivered", "PENDING", count!=3, "ERROR", 1=1, "UNKNOWN")
| stats count by result
| table result count
Upvotes: 1
Related Questions
- Splunk : extract multiple values from each event
- Count and sum in splunk
- Group events by multiple fields in Splunk
- Splunk: Stats from multiple events and expecting one combined output
- How to count the total number of events in a splunk search result?
- Splunk - counting numeric information in events
- Splunk query based on the results of another query
- How to count results in Splunk and put them in a table?
- Splunk Query Count of Count
- How to extract correct fields and count to create report in Splunk?