Splunk Enterprise Security

How to display count of two different fields with different values?

i471
New Member

Hello all I'm having difficulties figuring out how to output 2 seperate counts for 2 seperate fields.

index=email spf="fail*" OR dkim="fail*"
| dedup message_id
| stats count BY spf, dkim

Atttempting to return a single count of the unique logs that contain spf="fail" and a single count of unique logs that contain dkim="fail" :

spf dkim

14 75

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @i471,
you could try something like this.

index=email spf="fail*" OR dkim="fail*"
| dedup message_id
| eval kind=if(like(spf,"fail%"),"spf",if(like(dkim,"fail%"),"dkim",""))
| search kind!=""
| stats count BY kind

Ciao.
Giuseppe

0 Karma

i471
New Member

Updated search: index=email spf="fail" OR dkim="fail"

0 Karma
Get Updates on the Splunk Community!

ATTENTION!! We’re MOVING (not really)

Hey, all! In an effort to keep this Slack workspace secure and also to make our new members' experience easy, ...

Splunk Admins: Build a Smarter Stack with These Must-See .conf25 Sessions

  Whether you're running a complex Splunk deployment or just getting your bearings as a new admin, .conf25 ...

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...