Splunk Dev

SPL - mergin two values of a field into the same one

MLGSPLUNK
Path Finder

Hi Community.

I have this SPL:

| tstats summariesonly=true allow_old_summaries=true count from datamodel=Intrusion_Detection.IDS_Attacks by IDS_Attacks.severity
| rename "IDS_Attacks.*" as "*"
| eval temp=""
| chart useother=true first(count) over temp by severity
| rename temp as count

And its working fine. However, I have values for IDS_Attacks.severity in form of "high" and "High" appart from other values, wich i woudl like to keep intact.

The SPL is counting the two values as different values, and I would like them to be merged into one count as "High".

 

Tried this:

 

| tstats summariesonly=true allow_old_summaries=true count from datamodel=Intrusion_Detection.IDS_Attacks by IDS_Attacks.severity

| rename IDS_Attacks.severity as severity2

| eval temp=""
| eval severity3 = if(severity2="high","High", severity2)
| chart useother=true first(count) over temp by severidad2
| rename temp as count

 

and its not working.

Note I need the SPL to be showing a report from a dashboard.

Thanks in advance.

Labels (1)
0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

Hi @MLGSPLUNK,

Since you are using first function in chart command, you get only first High value. You should use sum function. Please try below;

| tstats summariesonly=true allow_old_summaries=true count from datamodel=Intrusion_Detection.IDS_Attacks by IDS_Attacks.severity
| rename IDS_Attacks.*as *
| eval temp=""
| eval severity = if(severity="high","High", severity)
| chart useother=true sum(count) over temp by severity
| rename temp as count
If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

scelikok
SplunkTrust
SplunkTrust

Hi @MLGSPLUNK,

Since you are using first function in chart command, you get only first High value. You should use sum function. Please try below;

| tstats summariesonly=true allow_old_summaries=true count from datamodel=Intrusion_Detection.IDS_Attacks by IDS_Attacks.severity
| rename IDS_Attacks.*as *
| eval temp=""
| eval severity = if(severity="high","High", severity)
| chart useother=true sum(count) over temp by severity
| rename temp as count
If this reply helps you an upvote and "Accept as Solution" is appreciated.

MLGSPLUNK
Path Finder

@scelikok Thanks a lot.

0 Karma

MLGSPLUNK
Path Finder

Before state of what I get with the spl. I would like to add up the High and high values...

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The second query likely is failing because the stats command uses a field that is not specified anywhere else.  Also, you don't need interim severity fields.   Try this query.

| tstats summariesonly=true allow_old_summaries=true count from datamodel=Intrusion_Detection.IDS_Attacks by IDS_Attacks.severity
| rename IDS_Attacks.*as *
| eval temp=""
| eval severity = if(severity="high","High", severity)
| chart useother=true first(count) over temp by severity
| rename temp as count
---
If this reply helps you, Karma would be appreciated.

MLGSPLUNK
Path Finder

@richgalloway thanks for the input, but this query appears to not add up the values from "high" and "High".

My count after your query says 87 events with High, and there are no events "high" counted.

What I mean is that it shoudl add up values from high and High after the eval command, right?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

My reply is based on the requirement "The SPL is counting the two values as different values, and I would like them to be merged into one count as "High"."  There is no "high" anymore - there is just "High" (and, I presume, "Low").  If that's not what is desired then clarify the requirements.

 

---
If this reply helps you, Karma would be appreciated.
0 Karma

MLGSPLUNK
Path Finder

@richgalloway the requirement is that after the sum of "high" and "High" the count doesn't appear like:

sum of "high" values = 10

sum of "High" values=20

I need to have a total of sum of "High" values = 30 (that's the sole purpose of the eval command).

Thanks for the insight.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...