- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to get latest transactionId ?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
I am trying to get count of enabled and disabled from field. Then i want to show the field values based on latest correlation ID.The currstatus field will run for every 10 min.
"content.currStatus"="*" |stats values(content.currStatus) as currStatus by latest(correlationId)|where currStatus!="Interface has no entry found in object Store"|stats count by currStatus
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You don't need the stats values() line
index="mulesoft" applicationName="scheduler" message="Upcoming :*" [search index="mulesoft" applicationName="scheduler" | stats latest(correlationId) as correlationId | table correlationId | format] |where `content.currStatus`!="Interface has no entry found in object Store"|stats count by `content.currStatus`- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @karthi2809 ,
if currStatus has values enabled or disabled, please try something like this:
"content.currStatus"="*" content.currStatus!="Interface has no entry found in object Store"
| rename content.currStatus AS currStatus
| stats
count(eval(currStatus="enabled"))AS enabled_count
count(eval(currStatus="disabled"))AS disabled_count
last(currStatus) AS last_currStatus
BY correlationId)In addition one hint: add always the index containing these events: you'll have a faster search and you'll be sure to take events.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just i want to show the latest correlationId and in your query its showing multiple correlationID and i just want show the count of enabled and disabled in pie chart.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this
"content.currStatus"="*" [search <your index> | stats latest(correlationId) as correlationId | table correlationId | format] | where currStatus!="Interface has no entry found in object Store"|stats count by currStatus- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ITWhisperer
The query which is working but i need total counts of enabled and disabled in the output .Now its showing 1 for enabled and 1for disabled.But the event is getting 79
index="mulesoft" applicationName="scheduler" message="Upcoming :*" [search index="mulesoft" applicationName="scheduler" | stats latest(correlationId) as correlationId | table correlationId | format] |stats values(content.currStatus) as currStatus by correlationId|where currStatus!="Interface has no entry found in object Store"|stats count by currStatus
There are 79 events in this 74 is enabled and 5 are disabled .The values enabled and disabled from currstatus field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You don't need the stats values() line
index="mulesoft" applicationName="scheduler" message="Upcoming :*" [search index="mulesoft" applicationName="scheduler" | stats latest(correlationId) as correlationId | table correlationId | format] |where `content.currStatus`!="Interface has no entry found in object Store"|stats count by `content.currStatus`- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Got it thanks its working and latest correlationId .What time frequency the correlationId change.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Apart from you, who else knows how frequently the correlation id changes?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry its not working .Sometimes the values coming but sometimes its not showing any values
.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please provide examples of what is working and what is not working otherwise just saying it is not working is not very helpful!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ITWhisperer
First time its coming when i am trying to refresh the same query i am not find any values
Query which i am trying:
index="mulesoft" applicationName="scheduler" environment=DEV message="Upcoming Executions for Scheduler :*" [search index="mulesoft" applicationName="
scheduler" | stats latest(correlationId) as correlationId | table correlationId | format] |where content.currStatus!="Interface has no entry found in object Store"|stats count by content.currStatus
If i use the query in seperate search its showing the latest correlation values:
message="Upcoming Executions for Scheduler :*" environment=DEV | stats latest(correlationId) as correlationId | table correlationId
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If i remove stats line it will shows 0 events.Not showing any counts
Introducing the Splunk Community Dashboard Challenge!
Get the T-shirt to Prove You Survived Splunk University Bootcamp
Wondering How to Build Resiliency in the Cloud?
