Counting Specific Events Type?

asarran · ‎11-22-2016

Good Morning, Fellow Splunkers

I have a field extraction that outputs four possible values [Example]:

Field Extraction: [Direction]

[North]
[South]
[East]
[West]

I would like to count each of event within a period of time.

I'm thinking:

index=xxxx host=xxxx Direction="*"| Stat Count ("North" "South" "East" "West")

woodcock · ‎03-11-2017

Like this:

... | stats count BY Direction

gcusello · ‎11-23-2016

Hi asarran,
try something like this

your_search direction=* | stats count by Direction

or if you want a Time distribution

your_search direction=* | timechart count by Direction

Bye.
Giuseppe

Raschko · ‎11-22-2016

Try something like this:

yoursearch | stats count(eval(match(Direction,"North")) AS count_N count(eval(match(Direction,"South")) AS count_S count(eval(match(Direction,"East")) AS count_E count(eval(match(Direction,"West")) AS count_W

This way Splunk "evals" if the field Direction contains North and counts that.

HTH.

niketnilay · ‎11-22-2016

index=xxxx host=xxxx Direction="North" OR Direction="South" OR Direction="East" OR Direction="West" | stats Count by Direction

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

mrgibbon · ‎11-22-2016

| stats count by Direction

niketnilay · ‎11-22-2016

Corrected the same 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Counting Specific Events Type?

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.Find out what your skills are worth! Read the report >

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!

Read the report >