Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

HELP with Search and Bar Chart...

leomedina
Explorer
‎04-04-2017 10:53 PM

Hello all,

I am trying to search on multiple values, which are not being populated in a field. And then renaming these values into "Success" or "Fail".

Thus far I have:

index=datapower sourcetype=syslog EventType=error
| stats count(eval(0x80e00110 NOT 0x01130009 NOT 0x01130024 NOT 0x00d30003 NOT 0x80c00009 NOT 0x80c00010 NOT 0x01d30001 NOT 0x84e00032 NOT 0x80e00791="Fail"))
| stats count(eval(0x00530002 AND 0x80c00008 AND 0x80e006c1 AND 0x01130006 AND 0x80e00126 AND 0x80e00627="Success"))

I keep getting an error and can't see anything 😞

Sincerely appreciate the help.

Also how do I display this in a side bar graph?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

hhGA
Communicator
‎04-05-2017 07:53 AM

Hi leomedina,

Seeing as you have 0x80e00791="Fail", I'm assuming that 0x80e00110, 0x01130009 etc are field names.

Instead of eval(0x80e00110 NOT 0x01130009 NOT 0x01130024) try using eval(isNull(0x80e00110) AND isNull(0x01130009) AND isNull(0x01130024)) instead.

When you have the data correct, click on 'Vizualisation' to see the chart views.

Let me know if there are any issues.

View solution in original post

Reply
Solved! Jump to solution
Solution

hhGA
Communicator
‎04-05-2017 07:53 AM

Hi leomedina,

Seeing as you have 0x80e00791="Fail", I'm assuming that 0x80e00110, 0x01130009 etc are field names.

Instead of eval(0x80e00110 NOT 0x01130009 NOT 0x01130024) try using eval(isNull(0x80e00110) AND isNull(0x01130009) AND isNull(0x01130024)) instead.

When you have the data correct, click on 'Vizualisation' to see the chart views.

Let me know if there are any issues.

Reply
Solved! Jump to solution

leomedina
Explorer
‎04-05-2017 11:04 AM

hhGA... You, my friend, are a genius... I am getting the data I needed...

| eval (0x00530002) OR (0x80c00008) OR (0x80e006c1) OR (0x01130006) OR (0x80e00126) OR (0x80e00627)="Success"   
| eval isNull(0x80e00110) AND isNull(0x01130009) isNull(0x01130024) isNull(0x00d30003) isNull(0x80c00009) isNull(0x80c00010) isNull(0x01d30001)  isNull(0x84e00032) isNull(0x80e00791)="Errors"

Thanks!

0 Karma
Reply
Solved! Jump to solution

aaraneta_splunk
Splunk Employee
Splunk Employee
‎04-05-2017 02:25 PM

@leomedina - Glad to hear hhGA's answer helped answer your question. Please don't forget to resolve this post by clicking "Accept" so that other users can easily find it too. Thanks!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...