Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Find stats from 2 events

dyapasrikanth
Path Finder
‎04-11-2021 06:30 AM

We have 2 events

OTP generated  through SMS with UUID=123123
OTP generated through EMAIL with UUID=432432
OTP Verified for UUID=123123

How to join events to find how many OTPs generated through different mediums (SMS/EMAIL) and how many successfully verified.

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎04-11-2021 08:34 PM

Hi @dyapasrikanth,

You can use eventstats to add medium to all events based on UUID. Please try below;

index=foo ("OTP generated*" OR "OTP Verified*")
| rex "OTP (?<action>\w+)"
| rex "through (?<medium>\w+)"
| rex "UUID=(?<UUID>\d+)"
| stats values(*) as * by UUID
| eventstats last(medium) as medium by UUID
| stats sum(eval(action="generated")) as NumGenerated, sum(eval(action="Verified")) as NumVerified by medium
If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎04-11-2021 08:34 PM

Hi @dyapasrikanth,

You can use eventstats to add medium to all events based on UUID. Please try below;

index=foo ("OTP generated*" OR "OTP Verified*")
| rex "OTP (?<action>\w+)"
| rex "through (?<medium>\w+)"
| rex "UUID=(?<UUID>\d+)"
| stats values(*) as * by UUID
| eventstats last(medium) as medium by UUID
| stats sum(eval(action="generated")) as NumGenerated, sum(eval(action="Verified")) as NumVerified by medium
If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-11-2021 07:22 AM

Join is not necessary because the stats command can fulfill your wishes.

index=foo ("OTP generated*" OR "OTP Verified*")
```Now extract fields.  Skip this if the fields are already extracted```
| rex "OTP (?<action>\w+)"
| rex "through (?<medium>\w+)"
| rex "UUID=(?<UUID>\d+)"
```Now for the "join"```
| stats values(*) as * by UUID
```Now count the events```
| stats sum(eval(action="generated")) as NumGenerated, sum(eval(action="Verified")) as NumVerified by medium
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

dyapasrikanth
Path Finder
‎04-11-2021 03:38 PM

Thanks for your reply, I am getting data for NumGenerated not for NumVerified.

dyapasrikanth_0-1618180583660.png

We have medium only for generate events, not for verify events. We can correlate them only by UUID to find the medium which is verified.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...