Solved: Re: How can I get the count of two different field... - Page 2

zacksoft · ‎11-10-2017

My splunk query is ,

host=x OR host=y OR host=z nfs1
| stats count as nfs1_count

In the above case nfs1 field is searched from the three hosts and if found the event count is displayed as nfs1_count.

My concern is, I have another field called 'nfs2' ,that too is needed to be searched from the same three hosts(x,y,z) and the event count needs to be collected. Later the event counts(the numeric values) for fields nfs1 and nfs2 are to be put in a table or a pie chart.
Is it possible to achieve this in one search query ?

kamlesh_vaghela · ‎11-10-2017

HI @zacksoft,

Can you please try this one?

(host=x OR host=y OR host=z) (nfs1=* OR nfs2=*) | stats count(eval(isnotnull(nfs1))) as nfs1_countcount(eval(isnotnull(nfs2))) as nfs2_count

Thanks

View solution in original post

zacksoft · ‎11-13-2017

won't work. same as before. It doesn't search 'ERROR' So I changed the second line ("struc" OR "expo") to error to see what the results come. In that case i only got events with ERROR not with struc or xpo !

kamlesh_vaghela · ‎11-13-2017

Hi

As I found "ERROR" in your sample search and I used It for search.

Do we get data in below searches?
1)

(host="hg67plvbsa788.vadnski.com" OR "hg67plvbsa781.vadnski.com" OR "hg67plvbsa783.vadnski.com" OR "hg67plvbsa784.vadnski.com" OR "hg67hgtrre388.vadnski.com") ("struc" OR "xpo") "ERROR"

2)

 (host="hg67plvbsa788.vadnski.com" OR "hg67plvbsa781.vadnski.com" OR "hg67plvbsa783.vadnski.com" OR "hg67plvbsa784.vadnski.com" OR "hg67hgtrre388.vadnski.com") ("struc" OR "xpo") "ERROR"  | eval struc = if(like(_raw,"%struc%") AND like(_raw,"%ERROR%"),1,8) | eval xpo = if(like(_raw,"%xpo%") AND like(_raw,"%ERROR%"),1,8) | table _time struc xpo

zacksoft · ‎11-13-2017

1) yes, we get data in this search.
2) Yes, we get data in this search, and the search events also contain the keyword 'struc' AND 'error' ; 'xpo' AND 'error' as we have been expecting.

kamlesh_vaghela · ‎11-13-2017

Great,

Then this should be work .

(host="hg67plvbsa788.vadnski.com" OR "hg67plvbsa781.vadnski.com" OR "hg67plvbsa783.vadnski.com" OR "hg67plvbsa784.vadnski.com" OR "hg67hgtrre388.vadnski.com") ("struc" OR "xpo") "ERROR" | eval struc = if(like(_raw,"%struc%") AND like(_raw,"%ERROR%"),1,8) | eval xpo = if(like(_raw,"%xpo%") AND like(_raw,"%ERROR%"),1,8) | stats sum(struc) as nfs1_count sum(xpo) as nfs2_count

zacksoft · ‎11-13-2017

@kamlesh_vaghela
Yes, it's working now. Brilliant. 🙂
I cannot thank enough for your patience with this issue.

In future, if such query comes, is it okay to use the search command you have supplied by only changing the struc/xpo/error word from it as required . I am asking 'cos I don't understand the last part of it where you have put 1,8) which was intially 1,0). What does 1,8) signify.

Thanks again for the brilliance.

zacksoft · ‎11-12-2017

It's really strange but the resulting events do not contain the word ERROR.
All the events have either the word 'struc' or 'xpo'.
But none of the events contain 'struc' AND 'error' .
Now, when I removed the line ("struc" OR "xpo") and put error there like following
It shows events only with 'error' keyword not error AND struc.

(host="something1.domain.com" OR "something2.domain.com" OR "something3.domain.com" OR "something4.domain.com" OR "something5.domian.com" )
error
| eval struc = if(like(_raw,"%struc%") AND like(_raw,"%ERROR%"),1,0)
| eval xpo = if(like(_raw,"%xpo%") AND like(_raw,"%ERROR%"),1,0)
| stats sum(struc) as nfs1_count sum(xpo) as nfs2_count

zacksoft · ‎11-12-2017

(host="hg67plvbsa788.vadnski.com" OR "hg67plvbsa781.vadnski.com" OR "hg67plvbsa783.vadnski.com" OR "hg67plvbsa784.vadnski.com" OR "hg67hgtrre388.vadnski.com")

("struc" OR "xpo")

| eval struc = if(like(_raw,"%struc%") AND like(_raw,"%Error%"),1,8)

| eval xpo = if(like(_raw,"%xpo%") AND like(_raw,"%Error%"),1,8)

| stats sum(struc) as nfs1_count sum(xpo) as nfs2_count

zacksoft · ‎11-12-2017

@kamlesh_vaghela

host="something1.domain.com" OR "something2.domain.com" OR "something3.domain.com" OR "something4.domain.com" OR "something5.domian.com"
("struc" OR "xpo")
| eval struc = if(like(_raw,"%struc%") AND like(_raw,"%Error%"),1,0)
| eval xpo = if(like(_raw,"%xpo%") AND like(_raw,"%Error%"),1,0)
| stats sum(struc) as nfs1_count sum(xpo) as nfs2_count

kamlesh_vaghela · ‎11-12-2017

Hi
Can I have sample _raw event?

gcusello · ‎11-10-2017

Hi zacksoft,
try something like this:

host=x OR host=y OR host=z
| eval nfs=case(nfs1=*,"nfs1_count"," ",nfs2=*,"nfs2_count")
| stats count BY nfs

Bye.
Giuseppe

zacksoft · ‎11-10-2017

Thanks Giuseppe for the response.
The eval statement throws error
Error in 'eval' command: The expression is malformed. An unexpected character is reached at ',"nfs1_count"," " ,nfs2=,"nfs2_count")'.

gcusello · ‎11-10-2017

Sorry, there's an error, try:
host=x OR host=y OR host=z
| eval nfs=case(nfs1=,"nfs1_count",nfs2=,"nfs2_count")
| stats count BY nfs
Bye.
Giuseppe

zacksoft · ‎11-12-2017

@cusello
Hi Giuseppe -
I get [Error in 'eval' command: The expression is malformed.]
Just so as you know. nfs1 and nfs2 are not splunk fields. They are just some keywords found in error logs. What I'm exactly seeking help for is,
nfs1_count should give me the count of the 'nfs1' AND 'error1'.
nfs2_count should give me the count of 'nfs2' AND 'error2'
(error1 and error2 are again just words in log, thy are not splunk fields.

gcusello · ‎11-12-2017

Sorry, there was a representation error:

host=x OR host=y OR host=z
| eval nfs=case(nfs1=*,"nfs1_count",nfs2=*,"nfs2_count")
| stats count BY nfs

Bye.
Giuseppe

How can I get the count of two different field values in the same search?

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?