Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Calculations off of results of two stats searches

hlarimer
Communicator
‎11-18-2014 12:30 PM

I have 2 searches:

index=av_log sourcetype=sophos_threat_events | dedup ComputerName FullFilePath | stats count by ThreatType

and

search index=av_log sourcetype=sophos_threat_events Status = Resolved | dedup ComputerName FullFilePath | stats count by ThreatType

Each search will create a results table showing 3 Threat types and a count for each. The first search is totals, the second search are resolved. I would like one table that would show each and show the percentage of Threats resolved for each ThreatType.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎11-18-2014 12:40 PM

Hi hlarimer,

try this:

search index=av_log sourcetype=sophos_threat_events Status="Resolved" | dedup ComputerName FullFilePath | stats count(eval(Status="Resolved")) AS resolved_count count AS Total by ThreatType | eval perc=resolved_count*100/Total | table Total resolved_count ThreatType perch

Maybe you need to adapt this search a bit because it is not tested 😉

cheers, Mus

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎11-18-2014 12:40 PM

Perhaps something like this will do the job.

index=av_log sourcetype=sophos_threat_events | dedup ComputerName FullFilePath | stats count as ThreatCount by ThreatType | join ThreatType [search index=av_log sourcetype=sophos_threat_events Status = Resolved | dedup ComputerName FullFilePath | stats count as ResolvedCount by ThreatType] | table ThreatType ThreatCount ResolvedCount
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution
Solution

MuS
Legend
‎11-18-2014 12:40 PM

Hi hlarimer,

try this:

search index=av_log sourcetype=sophos_threat_events Status="Resolved" | dedup ComputerName FullFilePath | stats count(eval(Status="Resolved")) AS resolved_count count AS Total by ThreatType | eval perc=resolved_count*100/Total | table Total resolved_count ThreatType perch

Maybe you need to adapt this search a bit because it is not tested 😉

cheers, Mus

Reply
Solved! Jump to solution

hlarimer
Communicator
‎11-18-2014 01:10 PM

I had to remove the Status="Resolved" from the initial search to start with the full results but otherwise this worked great (and removed a type from perc in the table command). Thank you for this solution.

An additional question, I would like to add an additional match to the eval (Status=Resolved) part of the search. I would like to match Status=Matched and UserName!=adm. Any idea how to do this?

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎11-18-2014 01:18 PM

Sure try this:

eval(Status=Resolved OR Status=Matched AND UserName!=adm)

And sorry for the typo 😉 writting SPL on an iPad is not that easy 🙂

0 Karma
Reply
Solved! Jump to solution

hlarimer
Communicator
‎11-18-2014 01:40 PM

I was thinking that was the solution too but I am getting this message:

Error in 'stats' command: The eval expression for dynamic field eval(Status="Resolved" AND UserName=*adm*) is invalid. Error='The expression is malformed. An unexpected character is reached at 'adm'.'

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎11-18-2014 01:45 PM

sorry, format messed up in your comment.... so try this:

eval(Status="Resolved" AND UserName="*adm*")

0 Karma
Reply
Solved! Jump to solution

hlarimer
Communicator
‎11-19-2014 09:54 AM

I'm not getting errors anymore but I'm still having issues with the last eval. The following two searches should return the same results , correct?

index=av_log sourcetype=sophos_threat_events | dedup ComputerName FullFilePath | stats count(eval(UserName="adm")) AS Resolved_by_Service_Desk

index=av_log sourcetype=sophos_threat_events | dedup ComputerName FullFilePath | search UserName=adm | stats count AS Resolved_by_Service_Desk

But the first result gives me 0 and the second gives me 44, any idea why?

0 Karma
Reply
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...