topic Re: SPL - mergin two values of a field into the same one in Splunk Dev

SPL - mergin two values of a field into the same one

MLGSPLUNK — Tue, 09 Mar 2021 16:19:39 GMT

Hi Community.

I have this SPL:

| tstats summariesonly=true allow_old_summaries=true count from datamodel=Intrusion_Detection.IDS_Attacks by IDS_Attacks.severity
| rename "IDS_Attacks.*" as "*"
| eval temp=""
| chart useother=true first(count) over temp by severity
| rename temp as count

And its working fine. However, I have values for IDS_Attacks.severity in form of "high" and "High" appart from other values, wich i woudl like to keep intact.

The SPL is counting the two values as different values, and I would like them to be merged into one count as "High".

Tried this:

| tstats summariesonly=true allow_old_summaries=true count from datamodel=Intrusion_Detection.IDS_Attacks by IDS_Attacks.severity

| rename IDS_Attacks.severity as severity2

| eval temp=""
| eval severity3 = if(severity2="high","High", severity2)
| chart useother=true first(count) over temp by severidad2
| rename temp as count

and its not working.

Note I need the SPL to be showing a report from a dashboard.

Thanks in advance.

Re: SPL - mergin two values of a field into the same one

richgalloway — Tue, 09 Mar 2021 18:24:38 GMT

The second query likely is failing because the stats command uses a field that is not specified anywhere else. Also, you don't need interim severity fields. Try this query.

| tstats summariesonly=true allow_old_summaries=true count from datamodel=Intrusion_Detection.IDS_Attacks by IDS_Attacks.severity | rename IDS_Attacks.*as * | eval temp="" | eval severity = if(severity="high","High", severity) | chart useother=true first(count) over temp by severity | rename temp as count

Re: SPL - mergin two values of a field into the same one

MLGSPLUNK — Tue, 09 Mar 2021 18:42:44 GMT

@richgalloway thanks for the input, but this query appears to not add up the values from "high" and "High".

My count after your query says 87 events with High, and there are no events "high" counted.

What I mean is that it shoudl add up values from high and High after the eval command, right?

Re: SPL - mergin two values of a field into the same one

MLGSPLUNK — Tue, 09 Mar 2021 18:43:19 GMT

Before state of what I get with the spl. I would like to add up the High and high values...

Re: SPL - mergin two values of a field into the same one

richgalloway — Tue, 09 Mar 2021 19:35:50 GMT

My reply is based on the requirement "The SPL is counting the two values as different values, and I would like them to be merged into one count as "High"." There is no "high" anymore - there is just "High" (and, I presume, "Low"). If that's not what is desired then clarify the requirements.

Re: SPL - mergin two values of a field into the same one

MLGSPLUNK — Tue, 09 Mar 2021 20:31:01 GMT

@richgalloway the requirement is that after the sum of "high" and "High" the count doesn't appear like:

sum of "high" values = 10

sum of "High" values=20

I need to have a total of sum of "High" values = 30 (that's the sole purpose of the eval command).

Thanks for the insight.

Re: SPL - mergin two values of a field into the same one

scelikok — Sat, 13 Mar 2021 08:45:42 GMT

Hi @MLGSPLUNK,

Since you are using first function in chart command, you get only first High value. You should use sum function. Please try below;

| tstats summariesonly=true allow_old_summaries=true count from datamodel=Intrusion_Detection.IDS_Attacks by IDS_Attacks.severity | rename IDS_Attacks.*as * | eval temp="" | eval severity = if(severity="high","High", severity) | chart useother=true sum(count) over temp by severity | rename temp as count

Re: SPL - mergin two values of a field into the same one

MLGSPLUNK — Mon, 15 Mar 2021 06:43:15 GMT

@scelikok Thanks a lot.