topic Re: Total occurrences within a column in Splunk Search

Total occurrences within a column

dmarcantonionw — Wed, 31 Jan 2018 01:44:45 GMT

I am pulling Windows event logs for software updates. There's a column for successRatio that is either Success or Failure as the result. I would like to append my event log search query to give me a total number of Success and total number of Failure. Bonus points if we can make it a numerical value on a dashboard. Here is my initial search query:

index=wineventlog sourcetype=WinEventLog:System EventCode=19  | eval Date=strftime(_time, "%Y/%m/%d") | rex "\WKB(?<KB>.\d+)\W" | eval successRatio=mvindex(split(Keywords,","),-1) | stats count by Date , host, package_title, KB , body , successRatio| sort host

This works great, but like I said, I'd like to have a total count of success and failures available in a report and a dashboard.

Re: Total occurrences within a column

adonio — Wed, 31 Jan 2018 02:43:07 GMT

Hello there,

please try out this search:

  index=wineventlog sourcetype=WinEventLog:System EventCode=19 
    | eval Date=strftime(_time, "%Y/%m/%d") 
    | rex "\WKB(?<KB>.\d+)\W" 
    | rex field=Keywords "\w+,\s+(?<status>\S+)"
    | stats count(eval(status="Success")) as succeeded count(eval(status="Failure")) as failed

from here you can take it however you would like

hope it helps

Re: Total occurrences within a column

mayurr98 — Wed, 31 Jan 2018 06:21:13 GMT

hey Try this

index=wineventlog sourcetype=WinEventLog:System EventCode=19 
| eval Date=strftime(_time, "%Y/%m/%d") 
| rex "\WKB(?<KB>.\d+)\W" 
| eval successRatio=mvindex(split(Keywords,","),-1) 
| stats count(eval(successRatio="Success")) as "Success_Count" count(eval(successRatio="Failure")) as "Failure_Count" by Date , host, package_title, KB , body 
| sort host

let me know if this helps!