Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Can multiple IF statements be used
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am creating a report off of logs files. In this report I am looking to list out the number of times particular actions were took. The two IF statements below produce data as expected when ran alone, but when ran together one of the fields is empty and the other list all the values as 0's.
sourcetype = drupal_app_logs domain_type = "clientportal" email != "surfspamfree.com" email !="@littler.com"
|eval Portallogins=if((trim(upper(action))=trim(upper("User Login")) AND trim(upper(domain))=trim(upper("Login Portal"))),1,0)
|stats sum(Portallogins) as "Portal Logins" by email
|eval Globallogins=if(like (message,"%portal.littler.com/apps/global-guide"),1,0)
|stats sum(Globallogins) as "Global Logins" by email
|join type=left email
[|search index=onelogin_roll role_id{} != null]
|table email,firstname, lastname,company,last_login,"Portal Logins","Global Logins"
|sort company
Any help is greatly appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem here is the the order of thsoe conidtions and stats command. After the first stats for Portal Logins, only fields available in your result set are email and "Portal Logins", so your next eval for GlobalLogins and stats doesn't work. Try like this
sourcetype = drupal_app_logs domain_type = "clientportal" email != "surfspamfree.com" email !="@littler.com"
|eval Portallogins=if((trim(upper(action))=trim(upper("User Login")) AND trim(upper(domain))=trim(upper("Login Portal"))),1,0)
|eval Globallogins=if(like (message,"%portal.littler.com/apps/global-guide"),1,0)
|stats sum(Globallogins) as "Global Logins" sum(Portallogins) as "Portal Logins" by email
|join type=left email
[|search index=onelogin_roll role_id{} != null]
|table email,firstname, lastname,company,last_login,"Portal Logins","Global Logins"
|sort company
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem here is the the order of thsoe conidtions and stats command. After the first stats for Portal Logins, only fields available in your result set are email and "Portal Logins", so your next eval for GlobalLogins and stats doesn't work. Try like this
sourcetype = drupal_app_logs domain_type = "clientportal" email != "surfspamfree.com" email !="@littler.com"
|eval Portallogins=if((trim(upper(action))=trim(upper("User Login")) AND trim(upper(domain))=trim(upper("Login Portal"))),1,0)
|eval Globallogins=if(like (message,"%portal.littler.com/apps/global-guide"),1,0)
|stats sum(Globallogins) as "Global Logins" sum(Portallogins) as "Portal Logins" by email
|join type=left email
[|search index=onelogin_roll role_id{} != null]
|table email,firstname, lastname,company,last_login,"Portal Logins","Global Logins"
|sort company
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
