- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Is it possible to use wildcards with Flow Map ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it possible to have multiple fields using wildcards as follows:
index = iis sourcetype="ms:iis:auto"
| stats count(eval(status=4*)) as error count(eval(status=2*)) as good by dest_ip
|eval from="Traffic" , to= dest_ip
|head 100
|table from to error good
I have also tried:
index = iis sourcetype="ms:iis:auto"
| stats count(eval(status=400 and 401 and 402))
But can't seem get this to work
Any help would be appreciated
I am also wondering if there is an example search plus lookup (maybe a generic _internal search |lookup) as mentioned in the documentation that can be used to help explain in more detail how the search and lookup works for complex flow maps. I am having difficulty with combining the two.
Thanks in advance, @chrisyoungerjds , loving this app by the way 5*
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index = iis sourcetype="ms:iis:auto"
| chart useother=false usenull=false count over dest_ip by status
| streamstats count as tmp
| untable tmp status count
| stats sum(eval(if(like(status,"2%"),count,0))) as good
,sum(eval(if(like(status,"4%"),count,0))) as error
,values(eval(if(status=="dest_ip",count,NULL))) as dest_ip by tmp
| eval from="Traffic", to=dest_ip
| fields from to error good
OR
index = iis sourcetype="ms:iis:auto"
| chart useother=false usenull=false count over dest_ip by status
| eval good=0,error=0
| foreach 2*
[eval good = good + '<<FIELD>>']
| foreach 4*
[eval error = error + '<<FIELD>>']
| eval from="Traffic", to=dest_ip
| fields from to error good
Hi, how about this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index = iis sourcetype="ms:iis:auto"
| chart useother=false usenull=false count over dest_ip by status
| streamstats count as tmp
| untable tmp status count
| stats sum(eval(if(like(status,"2%"),count,0))) as good
,sum(eval(if(like(status,"4%"),count,0))) as error
,values(eval(if(status=="dest_ip",count,NULL))) as dest_ip by tmp
| eval from="Traffic", to=dest_ip
| fields from to error good
OR
index = iis sourcetype="ms:iis:auto"
| chart useother=false usenull=false count over dest_ip by status
| eval good=0,error=0
| foreach 2*
[eval good = good + '<<FIELD>>']
| foreach 4*
[eval error = error + '<<FIELD>>']
| eval from="Traffic", to=dest_ip
| fields from to error good
Hi, how about this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @to4kawa for the prompt reply.
This worked a treat, I will just need to change good/error to success/error now,
Again, thanks for the support.
Infographic provides the TL;DR for the 2023 Splunk Career Impact Report
Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...
Enterprise Security Content Update (ESCU) | New Releases
