Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

organizing multiple responses

jsmith39
Path Finder
‎01-27-2014 10:41 AM

How do you query an application log for multiple event codes and then organize them in a report based on what codes were seen?

I'm searching 40+ server application logs for backup exec codes and based upon success (34112 or 57755) or failure (34113 or 34114) Output the count to either a success or failure column organized by host name.

I know a way (though probably not the best way) to do either a success or failure, but not how to combine.

What I've got so far is
sourcetype="WMI:WinEventLog:Application" EventCode=57755 OR 34112 | stats count by tag, host | rename count as Success

It works, but is only looking for instances when thing went correctly.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dglinder
Path Finder
‎01-27-2014 11:07 AM

Can you use the eval command to set a new Success/Failure field?

sourcetype="WMI:WinEventLog:Application" EventCode=57755 OR EventCode=34112 OR EventCode=34113 OR EventCode=34114 | eval Outcome=case(EventCode==57755 OR EventCode==34112, "Success", EventCode==34113 OR EventCode==34114, "Failure") | search Outcome="Success" | stats count by host, Outcome

(Edit: minor fixes to the EventCode search and eval portions.)

View solution in original post

Reply
Solved! Jump to solution

jsmith39
Path Finder
‎01-27-2014 11:13 AM

Thank you very much!
Both of those queries worked perfectly if differently.

0 Karma
Reply
Solved! Jump to solution
Solution

dglinder
Path Finder
‎01-27-2014 11:07 AM

Can you use the eval command to set a new Success/Failure field?

sourcetype="WMI:WinEventLog:Application" EventCode=57755 OR EventCode=34112 OR EventCode=34113 OR EventCode=34114 | eval Outcome=case(EventCode==57755 OR EventCode==34112, "Success", EventCode==34113 OR EventCode==34114, "Failure") | search Outcome="Success" | stats count by host, Outcome

(Edit: minor fixes to the EventCode search and eval portions.)

Reply
Solved! Jump to solution

dglinder
Path Finder
‎01-27-2014 11:25 AM

Thanks lukejadamec - I've update the example.

Reply
Solved! Jump to solution

lukejadamec
Super Champion
‎01-27-2014 10:59 AM

You can append the failure code data:

sourcetype="WMI:WinEventLog:Application" EventCode=57755 OR EventCode=34112 | stats count by tag, host | rename count as Success |append [search index=main sourcetype="WMI:WinEventLog:Application" EventCode=34113 OR EventCode=34114| stats count by tag, host | rename count as Failure]

Reply
Solved! Jump to solution

dglinder
Path Finder
‎01-27-2014 11:27 AM

I don't use sub-searches so I always forget their usefulness.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...