https://community.splunk.com/t5/Splunk-Search/Sum-of-conditional-if-with-wildcard/m-p/251973#M75345 <P>So, this is sort of working I think... but it seems like my group is only returning one column for each user.. so I will get a count of type2_if_total for a given user I won't get a count of type1_if_total or visa versa. I need to know the total count of both type1_if_total and type2_if_total for each user. </P> Tue, 29 Sep 2020 07:26:27 GMT jclemons7 2020-09-29T07:26:27Z https://community.splunk.com/t5/Splunk-Search/Sum-of-conditional-if-with-wildcard/m-p/251970#M75342 <P>Hello all, </P> <P>I have the following search and I can't seem to "trick" it into giving me the data I want... Essentially, I want a table by timestamp and user which counts occurrences of wildcard hits. Here's my lame attempt to get it working.. </P> <PRE><CODE>event="standard" | regex _raw!=(?i)"(fileofinterest.txt|objectofinterest.txt|otherthing.bat)" | eval type1_if=if(InterestingField="%fileofinterest.txt%", 1, 0) | eval type2_if=if(InterestingField="%objectofinterest.txt%", 1, 0) </CODE></PRE> <P>I want to get a table that looks like this: </P> <PRE><CODE>_timestamp | user | type1_if_total | type2_if_total | type_if_total </CODE></PRE> <P>For each user and _timestamp</P> <P>Any help is greatly appreciated... </P> Thu, 01 Oct 2015 20:14:49 GMT https://community.splunk.com/t5/Splunk-Search/Sum-of-conditional-if-with-wildcard/m-p/251970#M75342 jclemons7 2015-10-01T20:14:49Z https://community.splunk.com/t5/Splunk-Search/Sum-of-conditional-if-with-wildcard/m-p/251971#M75343 <P>I think you are not asking for what you really desire but assuming I am incorrect, you can what you asked like this:</P> <PRE><CODE>event="standard" | regex _raw!=(?i)"(fileofinterest.txt|objectofinterest.txt|otherthing.bat)" | stats count(eval(match(InterestingField,"%fileofinterest.txt%") AS type1_if_total count(eval(match(InterestingField, "%objectofinterest.txt%") AS type2_if_total BY _timestamp user | eval type_if_total = type1_if_total + type2_if_total </CODE></PRE> Thu, 01 Oct 2015 20:24:17 GMT https://community.splunk.com/t5/Splunk-Search/Sum-of-conditional-if-with-wildcard/m-p/251971#M75343 woodcock 2015-10-01T20:24:17Z https://community.splunk.com/t5/Splunk-Search/Sum-of-conditional-if-with-wildcard/m-p/251972#M75344 <P>Any sample logs??</P> Thu, 01 Oct 2015 22:48:24 GMT https://community.splunk.com/t5/Splunk-Search/Sum-of-conditional-if-with-wildcard/m-p/251972#M75344 somesoni2 2015-10-01T22:48:24Z https://community.splunk.com/t5/Splunk-Search/Sum-of-conditional-if-with-wildcard/m-p/251973#M75345 <P>So, this is sort of working I think... but it seems like my group is only returning one column for each user.. so I will get a count of type2_if_total for a given user I won't get a count of type1_if_total or visa versa. I need to know the total count of both type1_if_total and type2_if_total for each user. </P> Tue, 29 Sep 2020 07:26:27 GMT https://community.splunk.com/t5/Splunk-Search/Sum-of-conditional-if-with-wildcard/m-p/251973#M75345 jclemons7 2020-09-29T07:26:27Z https://community.splunk.com/t5/Splunk-Search/Sum-of-conditional-if-with-wildcard/m-p/251974#M75346 <P>something like this?</P> <PRE><CODE>... | stats count(eval(type1_if=1)) as type1_if count(eval(type2_if=1)) as type2_if count(eval(type1_if=1 OR type2_if=1)) as type_if by _timestamp user </CODE></PRE> Fri, 02 Oct 2015 16:31:45 GMT https://community.splunk.com/t5/Splunk-Search/Sum-of-conditional-if-with-wildcard/m-p/251974#M75346 maciep 2015-10-02T16:31:45Z https://community.splunk.com/t5/Splunk-Search/Sum-of-conditional-if-with-wildcard/m-p/251975#M75347 <P>If you are only getting a count of one it is because that is what is really there. If a user has some of each, this search <EM>WILL</EM> count both and each field will be non-zero. My solution is a complete solution for your need as you described it.</P> Fri, 16 Oct 2015 18:47:39 GMT https://community.splunk.com/t5/Splunk-Search/Sum-of-conditional-if-with-wildcard/m-p/251975#M75347 woodcock 2015-10-16T18:47:39Z