https://community.splunk.com/t5/Splunk-Search/Can-Sum-multiple-eval-quot-quot-as-action1-eval-quot-quot-as/m-p/156754#M44093 <P>update ping</P> Thu, 09 Oct 2014 06:14:02 GMT MuS 2014-10-09T06:14:02Z https://community.splunk.com/t5/Splunk-Search/Can-Sum-multiple-eval-quot-quot-as-action1-eval-quot-quot-as/m-p/156751#M44090 <P>Hello every one </P> <PRE><CODE>host="abc" user="12345678" | eval '"@@@" as action1| eval "###" as action2 | eval "$$$$" as actions2 | stats count by userID </CODE></PRE> <P>There are 90 logline contains "@@@".</P> <P>There are 90 logline contains "###".</P> <P>There are 90 logline contains "$$$$".</P> <P>All the "@@@" "### " "$$$$" are in the theRest field.</P> <PRE><CODE>result action1 90 action2 190 action3 3 </CODE></PRE> <P>Thank you all in advance.</P> Wed, 08 Oct 2014 23:59:02 GMT https://community.splunk.com/t5/Splunk-Search/Can-Sum-multiple-eval-quot-quot-as-action1-eval-quot-quot-as/m-p/156751#M44090 DavisXie 2014-10-08T23:59:02Z https://community.splunk.com/t5/Splunk-Search/Can-Sum-multiple-eval-quot-quot-as-action1-eval-quot-quot-as/m-p/156752#M44091 <P>Hi DavisXie,</P> <P>not quiet sure what you want to do, but this is not the way <CODE>eval</CODE> works. If you want to use <CODE>eval</CODE> do something like this:</P> <PRE><CODE>host="abc" user="12345678" | eval action1=like(theRest, "created%") | eval action2=like(theRest, "submit%") | eval action3=like(theRest, "quit%") | stats count by user, action1, action2, action3 </CODE></PRE> <P>But usually if you want to get the actions from your events, you would get them into some field first and then do stuff with them. Try something like this:</P> <PRE><CODE>host="abc" user="12345678" | rex field=theRest "(?&lt;action&gt;(created)|(submit)|(quit))" | stats count by user, action </CODE></PRE> <P>The <CODE>rex</CODE> field extraction can later be set as automatic field extraction <A href="http://docs.splunk.com/Documentation/Splunk/6.1.4/Knowledge/Addfieldsatsearchtime">http://docs.splunk.com/Documentation/Splunk/6.1.4/Knowledge/Addfieldsatsearchtime</A></P> <P>hope this helps ...</P> <P>cheers, MuS</P> Thu, 09 Oct 2014 05:49:53 GMT https://community.splunk.com/t5/Splunk-Search/Can-Sum-multiple-eval-quot-quot-as-action1-eval-quot-quot-as/m-p/156752#M44091 MuS 2014-10-09T05:49:53Z https://community.splunk.com/t5/Splunk-Search/Can-Sum-multiple-eval-quot-quot-as-action1-eval-quot-quot-as/m-p/156753#M44092 <P>After copying the "There are 90 logline contains "###", forgot to edit the numbers.</P> <P>Question <BR /> host="abc" user="12345678" | eval '"<EM>created</EM>" as action1| eval "<EM>submit</EM>" as action2 | eval "<EM>quit</EM>" as actions2 | stats count by userID</P> <P>There are 90 logline contains "created".<BR /> There are 190 logline contains "submit".<BR /> There are 3 logline contains "quit".</P> <P>All the "created" "submit" "quit" are in the theRest field.</P> <P>result<BR /> action1 90<BR /> action2 190<BR /> action3 3</P> Thu, 09 Oct 2014 05:59:44 GMT https://community.splunk.com/t5/Splunk-Search/Can-Sum-multiple-eval-quot-quot-as-action1-eval-quot-quot-as/m-p/156753#M44092 DavisXie 2014-10-09T05:59:44Z https://community.splunk.com/t5/Splunk-Search/Can-Sum-multiple-eval-quot-quot-as-action1-eval-quot-quot-as/m-p/156754#M44093 <P>update ping</P> Thu, 09 Oct 2014 06:14:02 GMT https://community.splunk.com/t5/Splunk-Search/Can-Sum-multiple-eval-quot-quot-as-action1-eval-quot-quot-as/m-p/156754#M44093 MuS 2014-10-09T06:14:02Z