Splunk Search

Distinct count of one field when second field matches string %200%

praveenvemuri
Explorer

Hi I am trying two get distinct count of field1 when field2 contains string 200, 500, 400 etc and i am trying to summary index it. i cannot dedup it before eval function as same field1 value can exist in for another response

eval response=case(rsppcode LIKE "%200%", 200,     rsppcode LIKE "%401%", 401, 
                   rsppcode LIKE "%403%", 403,     rsppcode LIKE "%404%", 404, 
                   rsppcode LIKE "%409%", 409,    rsppcode LIKE "%504%", 504, 
                   rsppcode LIKE "%500%", 500,     rsppcode LIKE "%422%", 422,
                   rsppcode LIKE "%550%", 550,    rsppcode LIKE "%", Others ) 
| timechart span=5min dc(field1) by response

tried this one but when summaryindexed. it was unable to recognise response field as it is eval field. all response count is under null.

Normal output

_time                       200  401    403 404 409 422 500 504 NULL
1   4/8/13 9:40:00.000 AM   2151    2   9   87              9   108
2   4/8/13 9:45:00.000 AM   2746    10  17  333 4   2       41  862
3   4/8/13 9:50:00.000 AM   2770    11  17  359     2       49  827

output from summaryindex

time nulll
somevalue somevalue

Please advise..

Tags (1)
0 Karma

lguinn2
Legend

Try this - put the values for response in quotes

eval response=case(rsppcode LIKE "%200%", "200",     rsppcode LIKE "%401%", "401", 
                   rsppcode LIKE "%403%", "403",     rsppcode LIKE "%404%", "404", 
                   rsppcode LIKE "%409%", "409",    rsppcode LIKE "%504%", "504", 
                   rsppcode LIKE "%500%", "500",     rsppcode LIKE "%422%", "422",
                   rsppcode LIKE "%550%", "550",    rsppcode LIKE "%", "Others" ) 
| timechart span=5min dc(field1) by response

I also recommend that you use sitimechart instead of timechart for summary indexing. Look here for more info

Finally, I am not sure how the title of this post relates to the question - am I missing something?

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...