Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Highlighted

How to display count of two different fields with different values?

i471
New Member
‎06-03-2020 07:32 PM

Hello all I'm having difficulties figuring out how to output 2 seperate counts for 2 seperate fields.

index=email spf="fail" OR dkim="fail"
| dedup message_id
| stats count BY spf, dkim

Atttempting to return a single count of the unique logs that contain spf="fail" and a single count of unique logs that contain dkim="fail" :

spf dkim

14 75

Labels (1)
Labels
0 Karma
Reply
Highlighted

Re: How to display count of two different fields with different values?

i471
New Member
‎06-03-2020 07:40 PM

Updated search: index=email spf="fail" OR dkim="fail"

0 Karma
Reply
Highlighted

Re: How to display count of two different fields with different values?

gcusello
Legend
‎06-04-2020 05:47 AM

Hi @i471,
you could try something like this.

index=email spf="fail*" OR dkim="fail*"
| dedup message_id
| eval kind=if(like(spf,"fail%"),"spf",if(like(dkim,"fail%"),"dkim",""))
| search kind!=""
| stats count BY kind

Ciao.
Giuseppe

0 Karma
Reply