topic Re: Working with eventtypes: how to solve duplicated rows into results in Splunk Search

Working with eventtypes: how to solve duplicated rows into results

nik_splunk — Tue, 25 May 2010 15:04:04 GMT

Good morning,

I'm developing for a customer a very simple search.

tag=mysourcetype tag=myeventtype startdaysago=7 tag= | stats count by _time,User_Name,"tag::eventtype" ....

An example could be as follow:

tag::sourcetype=WINDOWS tag::eventtype=an_action startdaysago=7 tag=groupfoo | stats count by _time,User_Name,"tag::eventtype" ...

I'm using several eventtypes to identify :

an_action = there are approximatly 60 eventcode saved as eventype to identify 5 categories of actions

groupfoo = there are eventtypes to identify those groups.

Customer wants a simple table where is clear

WHEN, WHO, WHAT.

Troubles are regarding WHAT:

| stats count by _time,User_Name,"tag::eventtype"

produces good rows (those regarding action ) but also I get duplicated results because groupfoo eventtypes. I mean that also goupfoo is defined as eventtype so for each time I get duplicated results: one (or more) by the perspective of action and this is what I'm looking for. Another one by the perspective of groupfoo : this is the sum of all the previous rows.

Using inputlookup command, results aren't better:

I built a lookup table for all those events I'm interested in, but:

|input lookup mylookuptable.csv ---> works

tag::sourcetype=WINDOWS startdaysago=7 tag= [|input lookup mylookuptable.csv | format ]| stats count by _time,User_Name, ...

returns 0 events

Where I wrong?

Thanks in advance for your time and for any suggestions you would gently provide

Nik

Re: Working with eventtypes: how to solve duplicated rows into results

Stephen_Sorkin — Sat, 05 Jun 2010 03:48:43 GMT

Hi Nik,

I don't think that this is because of the output of the initial search, whether you use tag= or the inputlookup. Splunk will not emit the same event twice to the rest of the search string. The issue is probably that stats count will emit two rows if the tag::eventtype is a multivalued field (that is, there are two tags for the eventtype in the same event).

The easiest thing to do here is to use the mvcombine command to flatten the tag::eventtype into a single valued field. You may want to filter out the tags to be those that match your "whats." For example, you may want to have the search be:

tag::sourcetype=WINDOWS tag::eventtype=an_action startdaysago=7 tag=groupfoo | eval what=mvfilter(tag::eventtype LIKE "what-%") | mvcombine what | stats count by _time,User_Name,what ...

Re: Working with eventtypes: how to solve duplicated rows into results

nik_splunk — Sun, 06 Jun 2010 18:11:06 GMT

Hi Stephen,

thanks so much for your time: I really appreciate your support and your professionalism.

Have a good day!

nik

Re: Working with eventtypes: how to solve duplicated rows into results

nik_splunk — Mon, 21 Jun 2010 22:08:44 GMT

piping

eval what=mvfilter(tag::eventtype LIKE "what-%") exits with this error

Error in 'eval' command: Malformed expression - ) expected.

Any IDEA? Tks

Re: Working with eventtypes: how to solve duplicated rows into results

Marklar — Tue, 22 Jun 2010 04:15:35 GMT

Hi nik - eval thinks the '::' in the tag is an operator. When you have a field with special characters in an eval expression, surround that field with single quotes or dollar signs. Try this: eval what=mvfilter('tag::eventtype' LIKE "what-%")

Re: Working with eventtypes: how to solve duplicated rows into results

nik_splunk — Wed, 23 Jun 2010 15:10:30 GMT

Hello Marklar, sorry for my 'silly' question but You're absolutely right..Thanks a lot !