Hi Splunker,
I have to count success and failure count from the same index and sourcetype on the basis of raw text in an event.
Only difference is that for success raw text is different and for failure raw text is different.
I have used below logic to find count of success and failure but this query is taking loads of time to execute.
Please remember these strings present below are not any field in Splunk it's a simple text on the basis of that i need to filter and count.
Could you please suggest me some other way by which i can execute this query faster.
index=Only_prod host=winter-p*-1 sourcetype="Season.log"
(Incoming OR Outgoing)
NOT ("Some String One" ) ("Some String Two" OR "Some String Three" OR "Some String Four")
|stats count as Error
|Join serviceName type=outer [
search index=Only_prod host=winter-p*-1 sourcetype="Season.log"
(Incoming OR Outgoing)
NOT ("Some String Five" ) ("Some String Seven" OR "Some String Six" OR "Some String Eight")
| stats count as Successes ]
Thanks in Advance
Regards,
↧