topic Re: eval command for two types of error in Splunk Search

eval command for two types of error

ksharma7 — Wed, 06 May 2020 05:05:05 GMT

Hi,

I have this query :

index="app" sourcetype="rxc" host="rxc-ip*" id=7 URL="/user/unauth" OR referer="https://quest.com/user/unauth*"  earliest=-15m@m latest=now| dedup qid| eval "Error"=id+"-"+Name+"(Impacted-"+referer+"OR"+URL+")"| stats count by "Error"

What I am looking for is that it should count the occurrence of either URL or referer dedup the quid as some quid are common in both and then give me result like:

7-name:Impacted-/user/unauth            100

But stat is not working in this case for me ....probably because eval is not used correctly...can someone help?

Re: eval command for two types of error

jadengoho — Wed, 30 Sep 2020 05:21:58 GMT

Here's the breakdown of the Code:

index="app" sourcetype="rxc" host="rxc-ip*" id=7 URL="/user/unauth" OR referer="https://quest.com/user/unauth*" earliest=-15m@m latest=now
- [ Base search ]

| dedup qid
- Using dedup will remove all the duplicate for the specific field.
- Example : You have 30 events of "00001", and 10 events of "00002" in total of 50 events. Once you use the dedup command you will only got 1 event per each , meaning you will get only 2 rows

| eval "Error"=id+"-"+Name+"(Impacted-"+referer+"OR"+URL+")"
| stats count by "Error"

Also a screenshot or result would be helpful in this situation.