topic Re: exclude certain event type from count in Splunk Search

exclude certain event type from count

noman377 — Thu, 06 Aug 2020 05:04:01 GMT

Hi, I have a stat on eventtype like this

index=xyz | stats count by eventtype

This query generates:

All_logs = 14

Error = 2

Auth = 8

Where All_logs is also an eventtype which encomapsses all events: Error, Login and Auth

How can I rewrite this query so I will see count of eventtype excluding All_logs and Login events

Re: exclude certain event type from count

thambisetty — Thu, 06 Aug 2020 06:36:29 GMT

@noman377

I used many dummy fields to make you understand

up vote if it solves your issue.

Re: exclude certain event type from count

noman377 — Thu, 06 Aug 2020 14:22:25 GMT

@thambisetty , still seeing All_logs and Login events in the stats count 😞

Re: exclude certain event type from count

thambisetty — Thu, 06 Aug 2020 14:33:06 GMT

if you looked at my answer, it contains 4 rows like below

Look at eventtype field All_logs is present in all rows but if you see final output the count of All_logs below is 1 because All_logs is present in one row alone with out any other value.

Re: exclude certain event type from count

noman377 — Thu, 06 Aug 2020 15:15:05 GMT

@thambisetty , I am sorry, my post probably was not very clear. Let me rephrase...
Original query: index=xyz | stats count by eventtype

where All_logs encompasses every log in the search (100% coverage).

Current Result:

eventtype	count
All_logs	14
Error	2
Login	4
Auth	8

Expected Result:

eventtype	count
Error	2
Auth	8

Appreciate all your help.

Re: exclude certain event type from count

thambisetty — Thu, 06 Aug 2020 15:35:29 GMT

index=xyz | stats count by eventtype | search eventtype IN (“Error”,”Auth”)