Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Find stats from 2 events

dyapasrikanth
Path Finder
‎04-11-2021 06:30 AM

We have 2 events

OTP generated  through SMS with UUID=123123
OTP generated through EMAIL with UUID=432432
OTP Verified for UUID=123123

How to join events to find how many OTPs generated through different mediums (SMS/EMAIL) and how many successfully verified.

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎04-11-2021 08:34 PM

Hi @dyapasrikanth,

You can use eventstats to add medium to all events based on UUID. Please try below;

index=foo ("OTP generated*" OR "OTP Verified*")
| rex "OTP (?<action>\w+)"
| rex "through (?<medium>\w+)"
| rex "UUID=(?<UUID>\d+)"
| stats values(*) as * by UUID
| eventstats last(medium) as medium by UUID
| stats sum(eval(action="generated")) as NumGenerated, sum(eval(action="Verified")) as NumVerified by medium
If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎04-11-2021 08:34 PM

Hi @dyapasrikanth,

You can use eventstats to add medium to all events based on UUID. Please try below;

index=foo ("OTP generated*" OR "OTP Verified*")
| rex "OTP (?<action>\w+)"
| rex "through (?<medium>\w+)"
| rex "UUID=(?<UUID>\d+)"
| stats values(*) as * by UUID
| eventstats last(medium) as medium by UUID
| stats sum(eval(action="generated")) as NumGenerated, sum(eval(action="Verified")) as NumVerified by medium
If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-11-2021 07:22 AM

Join is not necessary because the stats command can fulfill your wishes.

index=foo ("OTP generated*" OR "OTP Verified*")
```Now extract fields.  Skip this if the fields are already extracted```
| rex "OTP (?<action>\w+)"
| rex "through (?<medium>\w+)"
| rex "UUID=(?<UUID>\d+)"
```Now for the "join"```
| stats values(*) as * by UUID
```Now count the events```
| stats sum(eval(action="generated")) as NumGenerated, sum(eval(action="Verified")) as NumVerified by medium
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

dyapasrikanth
Path Finder
‎04-11-2021 03:38 PM

Thanks for your reply, I am getting data for NumGenerated not for NumVerified.

dyapasrikanth_0-1618180583660.png

We have medium only for generate events, not for verify events. We can correlate them only by UUID to find the medium which is verified.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...