Counting Specific Events Type?

asarran · ‎11-22-2016

Good Morning, Fellow Splunkers

I have a field extraction that outputs four possible values [Example]:

Field Extraction: [Direction]

[North]
[South]
[East]
[West]

I would like to count each of event within a period of time.

I'm thinking:

index=xxxx host=xxxx Direction="*"| Stat Count ("North" "South" "East" "West")

niketnilay · ‎11-22-2016

index=xxxx host=xxxx Direction="North" OR Direction="South" OR Direction="East" OR Direction="West" | stats Count by Direction

| eval message="Happy Splunking!!!"

mrgibbon · ‎11-22-2016

| stats count by Direction

niketnilay · ‎11-22-2016

Corrected the same 🙂

| eval message="Happy Splunking!!!"

Raschko · ‎11-22-2016

Try something like this:

yoursearch | stats count(eval(match(Direction,"North")) AS count_N count(eval(match(Direction,"South")) AS count_S count(eval(match(Direction,"East")) AS count_E count(eval(match(Direction,"West")) AS count_W

This way Splunk "evals" if the field Direction contains North and counts that.

HTH.

gcusello · ‎11-23-2016

Hi asarran,
try something like this

your_search direction=* | stats count by Direction

or if you want a Time distribution

your_search direction=* | timechart count by Direction

Bye.
Giuseppe

woodcock · ‎03-11-2017

Like this:

... | stats count BY Direction

Counting Specific Events Type?

Re: Counting Specific Events Type?

Re: Counting Specific Events Type?

Re: Counting Specific Events Type?

Re: Counting Specific Events Type?

Re: Counting Specific Events Type?

Re: Counting Specific Events Type?