Solved: Get the count of events in a search and use it to ...

deepaksn1214 · ‎04-22-2021

I need to get the count of the total number of events in the search and use it later to calculate the value of another field.

I am trying to use the eventstats command to do it. When i use the eventstats to create a new total field and later to compute the errorPercentage , it is always null.

This is the sample query i am using:

<search>
| eventstats count as total
| eval Message_new = 'Message.msg'
| rex mode=sed field=Message_new "s/^\"//g"
| eval new_msg=case(like(Message_new,"%xyz%"),"abc",like(Message_new,"%qqq%"),"aaaa",1==1,"unknown")
| eventstats max(_time) as maxtime, min(_time) as mintime
| eval midpoint=(maxtime + mintime) / 2 | eval Period=if(_time > midpoint,"interval_2","interval_1")
| eventstats count(new_msg) as errorcount by Period,new_msg
| xyseries new_msg Period errorcount | eval percentSpike = round((( interval_2 - interval_1 ) / interval_1 ) * 100)
| eval errorPercent = round(((interval_2 + interval_1) /total) * 100)
| table new_msg interval_1 interval_2 percentSpike errorPercent

ITWhisperer · ‎04-22-2021

total doesn't make it past xyseries but you can recalculate total by summing the two intervals - run-anywhere example - replace the bit above the blank lines with your search and message manipulation

| gentimes start=-1 increment=1h 
| rename starttime as _time 
| fields _time
| eval new_msg=mvindex(split("abc,aaaa,unknown",","),random() % 3)



| eventstats max(_time) as maxtime min(_time) as mintime
| eval midpoint=(maxtime+mintime)/2
| eval Period=if(_time>midpoint,"interval_2","interval_1")
| eventstats count(new_msg) as errorcount by Period new_msg
| xyseries new_msg Period errorcount
| eval percentSpike = round((( interval_2 - interval_1 ) / interval_1 ) * 100)
| eventstats sum(interval_*) as total_*
| eval total=total_1+total_2
| eval errorPercent = round(((interval_2 + interval_1) /total) * 100)
| table new_msg interval_1 interval_2 percentSpike errorPercent

View solution in original post

ITWhisperer · ‎04-22-2021

total doesn't make it past xyseries but you can recalculate total by summing the two intervals - run-anywhere example - replace the bit above the blank lines with your search and message manipulation

| gentimes start=-1 increment=1h 
| rename starttime as _time 
| fields _time
| eval new_msg=mvindex(split("abc,aaaa,unknown",","),random() % 3)



| eventstats max(_time) as maxtime min(_time) as mintime
| eval midpoint=(maxtime+mintime)/2
| eval Period=if(_time>midpoint,"interval_2","interval_1")
| eventstats count(new_msg) as errorcount by Period new_msg
| xyseries new_msg Period errorcount
| eval percentSpike = round((( interval_2 - interval_1 ) / interval_1 ) * 100)
| eventstats sum(interval_*) as total_*
| eval total=total_1+total_2
| eval errorPercent = round(((interval_2 + interval_1) /total) * 100)
| table new_msg interval_1 interval_2 percentSpike errorPercent

Get the count of events in a search and use it to calculate another field

eval

stats

table

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?