Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Counting Specific Events Type?

asarran
Path Finder
‎11-22-2016 08:18 AM

Good Morning, Fellow Splunkers

I have a field extraction that outputs four possible values [Example]:

Field Extraction: [Direction]

[North]
[South]
[East]
[West]

I would like to count each of event within a period of time.

I'm thinking:

index=xxxx host=xxxx Direction="*"| Stat Count ("North" "South" "East" "West")

0 Karma
Reply

woodcock
Esteemed Legend
‎03-11-2017 01:16 PM

Like this:

... | stats count BY Direction
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-23-2016 12:46 AM

Hi asarran,
try something like this

your_search direction=* | stats count by Direction

or if you want a Time distribution

your_search direction=* | timechart count by Direction

Bye.
Giuseppe

0 Karma
Reply

Raschko
Communicator
‎11-22-2016 08:34 AM

Try something like this:

yoursearch | stats count(eval(match(Direction,"North")) AS count_N count(eval(match(Direction,"South")) AS count_S count(eval(match(Direction,"East")) AS count_E count(eval(match(Direction,"West")) AS count_W

This way Splunk "evals" if the field Direction contains North and counts that.

HTH.

0 Karma
Reply

niketn
Legend
‎11-22-2016 08:29 AM

index=xxxx host=xxxx Direction="North" OR Direction="South" OR Direction="East" OR Direction="West" | stats Count by Direction

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

mrgibbon
Contributor
‎11-22-2016 02:57 PM

| stats count by Direction

0 Karma
Reply

niketn
Legend
‎11-22-2016 07:12 PM

Corrected the same 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Automatic Discovery Part 2: Setup and Best Practices

In Part 1 of this series, we covered what Automatic Discovery is and why it’s critical for observability at ...