Solved: Help with Stats based on Conditional Multiple Valu...

shashi319 · ‎05-06-2016

Here is my raw data:

advisories=[Advisory@51046c2f[advisory=6,rule=LOGIN_3,passive=true], Advisory@2f9ea478[advisory=32,rule=LOGIN_30,passive=false], Advisory@795aab36[advisory=29,rule=LOGIN_26,passive=false]],passiveResponse=PassiveResultCollector@482f8caf[passivePrimary=LOGIN_3,passive=true,passiveAction=INTERDICT,passvieRules=[LOGIN_3],allRuleMarkers=[LOGIN_3]]];enter code here

index=sims_prod source=*/authentication-audit.log  earliest=-1d@d 
|where advisories!="[]"
|rex field=advisories "\[advisory=(?<advisory>\d+),rule=(?<rule>[^,]+),passive=(?<isPassive>[^\]]+)\]" max_match=10
|foreach advisory isPassive [eval activeAdvName=if(isPassive="false",advisory,"null")|eval activeAdvCount= if(isPassive="false",1,0)]
| stats sum(activeAdvCount) as ActiveAdvCount by activeAdvName

Current result:
activeAdvName ActiveAdvCount
29 1
32 1
6 1

activeAdvName ActiveAdvCount
29 1
32 1

and if want to get Passive Advisory Count, i should get
PassiveAdvName PassiveAdvCount
6 1

sundareshr · ‎05-07-2016

See if this works for you

index=sims_prod source=*/authentication-audit.log  earliest=-1d@d 
| where advisories!="[]"
| rex field=advisories "\[advisory=(?<advisory>\d+),rule=(?<rule>[^,]+),passive=(?<isPassive>[^\]]+)\]" max_match=10
| eval z=mvzip(advisory,isPassive)
| mvexpand z
| rex field=z "(?<advisory>[^,]+),(?<isPassive>[^,]+)"
| eval activeAdvName=if(isPassive="false",advisory,"null")
|eval activeAdvCount= if(isPassive="false",1,0)]
| stats sum(activeAdvCount) as ActiveAdvCount by activeAdvName

View solution in original post

sundareshr · ‎05-07-2016

See if this works for you

index=sims_prod source=*/authentication-audit.log  earliest=-1d@d 
| where advisories!="[]"
| rex field=advisories "\[advisory=(?<advisory>\d+),rule=(?<rule>[^,]+),passive=(?<isPassive>[^\]]+)\]" max_match=10
| eval z=mvzip(advisory,isPassive)
| mvexpand z
| rex field=z "(?<advisory>[^,]+),(?<isPassive>[^,]+)"
| eval activeAdvName=if(isPassive="false",advisory,"null")
|eval activeAdvCount= if(isPassive="false",1,0)]
| stats sum(activeAdvCount) as ActiveAdvCount by activeAdvName

shashi319 · ‎05-07-2016

It worked like a charm!!! Thank YOU..

Help with Stats based on Conditional Multiple Values - foreach (potentially)

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!