Splunk Search

Counting Specific Events Type?

asarran
Path Finder

Good Morning, Fellow Splunkers

I have a field extraction that outputs four possible values [Example]:

Field Extraction: [Direction]

[North]
[South]
[East]
[West]

I would like to count each of event within a period of time.

I'm thinking:

index=xxxx host=xxxx Direction="*"| Stat Count ("North" "South" "East" "West")

0 Karma

woodcock
Esteemed Legend

Like this:

... | stats count BY Direction
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi asarran,
try something like this

your_search direction=* | stats count by Direction

or if you want a Time distribution

your_search direction=* | timechart count by Direction

Bye.
Giuseppe

0 Karma

Raschko
Communicator

Try something like this:

yoursearch | stats count(eval(match(Direction,"North")) AS count_N count(eval(match(Direction,"South")) AS count_S count(eval(match(Direction,"East")) AS count_E count(eval(match(Direction,"West")) AS count_W

This way Splunk "evals" if the field Direction contains North and counts that.

HTH.

0 Karma

niketn
Legend

index=xxxx host=xxxx Direction="North" OR Direction="South" OR Direction="East" OR Direction="West" | stats Count by Direction

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

mrgibbon
Contributor

| stats count by Direction

0 Karma

niketn
Legend

Corrected the same 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Edge Processor | New Resiliency Improvements & Support for Additional Data Sources

We are excited to announce several exciting updates for Edge Processor aimed at hardening overall product ...

Splunk Certification Support Alert | Pearson VUE Outage

Splunk Certification holders and candidates!  Please be advised of an upcoming system maintenance period for ...

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...