Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a search for matching two fields value to one new field?

mohsplunking
Explorer
‎09-21-2023 04:51 AM

Hello Splunker,

I'm trying to  join two fields values in stats command using Eval , looks like I'm doing it wrong, Please help me with the correct syntax.

 

 

| stats count (eval(action="Not Found",action="Forbidden")) as failures by src
| where failures>100
| table src

 

 

Basically I'm trying call "Not Found" and "Forbidden" as Failures that happened from a single source and then make a count of both these fields. 

 

A Help  here is appreciated,

 

Thanks,

Moh

Labels (2)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎09-22-2023 12:13 PM

Yes, the syntax was tested.  Here is test code you can try anywhere

 

index=_internal
| stats count(eval(sourcetype IN ("splunkd_access", "splunkd_ui_access"))) as selective_with_IN count as all by source

 

Result on my laptop instance is

sourceselective_with_INall
/Applications/Splunk/var/log/splunk/health.log05884
/Applications/Splunk/var/log/splunk/license_usage.log02
/Applications/Splunk/var/log/splunk/metrics.log045872
/Applications/Splunk/var/log/splunk/metrics.log.102
/Applications/Splunk/var/log/splunk/mongod.log01
/Applications/Splunk/var/log/splunk/python.log0376
/Applications/Splunk/var/log/splunk/search_messages.log01
/Applications/Splunk/var/log/splunk/splunkd.log028780
/Applications/Splunk/var/log/splunk/splunkd_access.log60686068
/Applications/Splunk/var/log/splunk/splunkd_ui_access.log804804
/Applications/Splunk/var/log/splunk/web_access.log068
/Applications/Splunk/var/log/splunk/web_service.log0197

My version is 9.1.

Using the syntax @bowesmana gives result in the same

 

index=_internal
| stats sum(eval(if(sourcetype IN ("splunkd_access", "splunkd_ui_access"), 1, 0))) as selective_with_IN count as all by source

 

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎09-21-2023 07:50 PM

The eval statement is wrong - use sum and an if condition to evaluate to 1 or 0

| stats sum(eval(if(action="Not Found" OR action="Forbidden",1,0))) as failures by src

 

0 Karma
Reply
Solved! Jump to solution

dural_yyz
Builder
‎09-21-2023 06:35 AM

It appears that the field action has text values and you are trying to apply a volume limit where statement.  You could create a new field of 'tmp' if action IN (value1 value2), "1","0").  At that point you can stats count or sum the new field and apply your where statement based upon your own needs.

 

Just a thought.

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎09-21-2023 05:19 AM

You are almost there.

| stats count (eval(action IN ("Not Found","Forbidden"))) as failures by src
| where failures>100 | table src
0 Karma
Reply
Solved! Jump to solution

mohsplunking
Explorer
‎09-21-2023 05:56 AM

Thanks for looking into it, however, it did not go through, it still gives an error

The argument '(eval(action IN (Not Found,Forbidden)))' is invalid 😞

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎09-21-2023 07:05 PM

The argument '(eval(action IN (Not Found,Forbidden)))' is invalid 😞

Did you use quotation marks as my example includes?

0 Karma
Reply
Solved! Jump to solution

mohsplunking
Explorer
‎09-22-2023 01:16 AM

Hello Yuanliu,

Thanks once again for your efforts,

Yes i did add the quotes , basically I copy pasted from here to search directly.  Have you tested this at your end by any chance

 

Thanks,

 

0 Karma
Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎09-22-2023 12:13 PM

Yes, the syntax was tested.  Here is test code you can try anywhere

 

index=_internal
| stats count(eval(sourcetype IN ("splunkd_access", "splunkd_ui_access"))) as selective_with_IN count as all by source

 

Result on my laptop instance is

sourceselective_with_INall
/Applications/Splunk/var/log/splunk/health.log05884
/Applications/Splunk/var/log/splunk/license_usage.log02
/Applications/Splunk/var/log/splunk/metrics.log045872
/Applications/Splunk/var/log/splunk/metrics.log.102
/Applications/Splunk/var/log/splunk/mongod.log01
/Applications/Splunk/var/log/splunk/python.log0376
/Applications/Splunk/var/log/splunk/search_messages.log01
/Applications/Splunk/var/log/splunk/splunkd.log028780
/Applications/Splunk/var/log/splunk/splunkd_access.log60686068
/Applications/Splunk/var/log/splunk/splunkd_ui_access.log804804
/Applications/Splunk/var/log/splunk/web_access.log068
/Applications/Splunk/var/log/splunk/web_service.log0197

My version is 9.1.

Using the syntax @bowesmana gives result in the same

 

index=_internal
| stats sum(eval(if(sourcetype IN ("splunkd_access", "splunkd_ui_access"), 1, 0))) as selective_with_IN count as all by source

 

 

0 Karma
Reply
Solved! Jump to solution

mohsplunking
Explorer
‎09-26-2023 04:42 AM

Thanks so much @yuanliu @bowesmana  both for the great help,

 

@yuanliu  So after you post the second query with the results there I was to catch the difference from your previous query and the last one, I was not getting results because in the stats command I was giving space between "count and Eval" , if I do that , it does not get execute. :d

Anyway, it a perfect query for my use-case, Much Appreciated !

0 Karma
Reply
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...