Solved: Correct count of events

strawberry28 · ‎06-16-2022

source="http:Emerson_P1CDN"
| spath host
| spath client_ip
| spath status_code | where status_code=200
| spath referer | where referer=""
| spath path | search path NOT ("*wcsextendedsearch" OR "*EmersonSKUListingView" OR "*EmersonProductListingView" OR "*CartRefreshStatusJSON" OR "*PriceAjaxView" OR "*AjaxSerialNumber" OR "*UnsupportedBrowserErrorView" OR "*LogonForm"OR "*MiniCart" OR "*MiniShopCartDisplayView" OR "*AnalyticsPageView" OR "*AjaxAccountLinkDisplay" OR "*.css" OR "*.js" OR "*.woff2" OR "*.woff" OR "*.gif" OR "*.png" OR "*.jpg" OR "*.ico" OR "*.pdf" OR "*.html" OR "*.txt" OR "*.xml" OR "*/ClickInfo" OR "*thumb")
| bin _time span=1m
| stats count by _time,host,path,client_ip | where count >= 100 | sort - count

Does the query at the top is correct?, because we want to count the total events of _time,host,path and client_ip per minute

ITWhisperer · ‎06-16-2022

Yes, stats will count the events which match the unique combinations of those fields

View solution in original post

ITWhisperer · ‎06-16-2022

You might want to consider

| spath referer | where referer="" OR isnull(referer)

strawberry28 · ‎06-16-2022

I will, but is it looks good? does the stats count. count the events?
thanks

ITWhisperer · ‎06-16-2022

Yes, stats will count the events which match the unique combinations of those fields

strawberry28 · ‎06-16-2022

Thank you so much!

Correct count of events

other

summary indexing

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM