https://community.splunk.com/t5/Splunk-Search/How-to-use-eval-for-basic-search-terms-NOT-fields/m-p/396196#M115026 <P>So I want to get the stats count of two search terms in a search that looks like this:<BR /> <CODE>index=myIndex "searchTermA" OR "searchTermB"</CODE> (these searches being strings to find certain applications under the index and they have no fields to search for them by nor are they similar enough for field extraction to work [individually field extracting these also proves to have a lot of issues as well]).</P> <P>and what I wish I could do is this:</P> <PRE><CODE>index=myIndex "searchTermA" OR "searchTermB" | stats (or chart/timechart) count("searchTermA") count("searchTermB") </CODE></PRE> <P>to get the data I want.</P> <P>However, I am aware this is not possible. Is there some way to use eval to give these search strings a name and use them for count?</P> <P>I also cannot go into the .conf files and edit them.</P> <P>Thanks!</P> Tue, 19 Jun 2018 12:44:05 GMT link22 2018-06-19T12:44:05Z https://community.splunk.com/t5/Splunk-Search/How-to-use-eval-for-basic-search-terms-NOT-fields/m-p/396196#M115026 <P>So I want to get the stats count of two search terms in a search that looks like this:<BR /> <CODE>index=myIndex "searchTermA" OR "searchTermB"</CODE> (these searches being strings to find certain applications under the index and they have no fields to search for them by nor are they similar enough for field extraction to work [individually field extracting these also proves to have a lot of issues as well]).</P> <P>and what I wish I could do is this:</P> <PRE><CODE>index=myIndex "searchTermA" OR "searchTermB" | stats (or chart/timechart) count("searchTermA") count("searchTermB") </CODE></PRE> <P>to get the data I want.</P> <P>However, I am aware this is not possible. Is there some way to use eval to give these search strings a name and use them for count?</P> <P>I also cannot go into the .conf files and edit them.</P> <P>Thanks!</P> Tue, 19 Jun 2018 12:44:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-eval-for-basic-search-terms-NOT-fields/m-p/396196#M115026 link22 2018-06-19T12:44:05Z https://community.splunk.com/t5/Splunk-Search/How-to-use-eval-for-basic-search-terms-NOT-fields/m-p/396197#M115027 <P>You can run something like <CODE>... |eval count_field = case(searchmatch("searchtermA"), "A_class",searchmatch("searchtermB"),"B_class") | stats (or chart/timechart) count by count_field</CODE>. It should return the counts of both types of events. </P> Tue, 19 Jun 2018 14:30:14 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-eval-for-basic-search-terms-NOT-fields/m-p/396197#M115027 brendanmatthews 2018-06-19T14:30:14Z https://community.splunk.com/t5/Splunk-Search/How-to-use-eval-for-basic-search-terms-NOT-fields/m-p/396198#M115028 <P>You can something like this</P> <PRE><CODE>index=myIndex "searchTermA" OR "searchTermB" | stats count(eval(searchmatch("searchTermA"))) as CountA count(eval(searchmatch("searchTermB"))) as CountB </CODE></PRE> Tue, 19 Jun 2018 14:41:32 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-eval-for-basic-search-terms-NOT-fields/m-p/396198#M115028 somesoni2 2018-06-19T14:41:32Z