Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to count a field that contains special values ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a column named Target that contains several values where some ends with @myemail.com, but when I just used stats count by Targetit became really messy as there are many email users.
So I want to sum all the values that end with @myemail.com and then display in the Pie chart with other value counts. But I tried stats sum(eval) return no result while the case wouldn't work as the total type of string values changes along time.
Does anyone know how to search this? Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I understood correctly, you want to count *@myemail.com in totals vs single count of all other users?
| makeresults | eval Target="bla@myemail.com,something@else.com,foobar@myemail.com,metoo@aol.com,splunk@myemail.com"
| makemv delim="," Target | mvexpand Target
| rex field=Target "(?<user>[^@]+)@(?<domain>.*)$"
| eval myemail_combined_Target=if(domain=="myemail.com","myemail.com",Target)
| stats count by myemail_combined_Target
The first two line just generate a random input for this cut and paste example. I have three @myemail.com domain users in the input, and two other ones.
Third line splits the Target into user and domain, that's where you would start after your base search.
Fourth line create a field that either is "myemail.com" for all those users, or the original Target for everything else.
Last line is the count that you wanted to have if I understood correctly. 🙂
Hth,
-Kai.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I understood correctly, you want to count *@myemail.com in totals vs single count of all other users?
| makeresults | eval Target="bla@myemail.com,something@else.com,foobar@myemail.com,metoo@aol.com,splunk@myemail.com"
| makemv delim="," Target | mvexpand Target
| rex field=Target "(?<user>[^@]+)@(?<domain>.*)$"
| eval myemail_combined_Target=if(domain=="myemail.com","myemail.com",Target)
| stats count by myemail_combined_Target
The first two line just generate a random input for this cut and paste example. I have three @myemail.com domain users in the input, and two other ones.
Third line splits the Target into user and domain, that's where you would start after your base search.
Fourth line create a field that either is "myemail.com" for all those users, or the original Target for everything else.
Last line is the count that you wanted to have if I understood correctly. 🙂
Hth,
-Kai.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your response. Tho the rex was a bit off but the whole search string worked perfectly after I made a minor change. Your explanation was very thorough.
Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform
Calling All Security Pros: Ready to Race Through Boston?
Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...
