Splunk Search

How to create a search for stats count eval?

jip31
Motivator

hi

I need to use eval count in a search like this

 

 

 

| chart count(eval(web > 12)) 

 

 

 

But this count is right if I filter events préviously from a string

what I would like to do is something like this

 

 

 

| chart count(eval(web > 12 AND TOTO=a)) 

 

 

 

NB: I know I can filter before the chart command but its impossible here because my chart command stats a lot of different events...

How to do this please?

Rgds

Labels (3)
0 Karma
1 Solution

somesoni2
Revered Legend
| chart count(eval(web > 12 AND TOTO=a)) 

Something like this should work. Did you try it? Is "a" a field OR a string?  If it's a string, try enclosing it in double quotes.

 

View solution in original post

0 Karma

somesoni2
Revered Legend
| chart count(eval(web > 12 AND TOTO=a)) 

Something like this should work. Did you try it? Is "a" a field OR a string?  If it's a string, try enclosing it in double quotes.

 

0 Karma

jip31
Motivator

I dont undesrtand

even if I change the web_dom value, the result is the same!

| eval errcap =if(web >= 1 AND web_dom="aa" AND web_url="*", 1, 0) 
| eval errcont =if(we >= 1 AND web_dom="bb", 1, 0)  
| eval errshare =if(web= 1 AND web_dom="cc", 1, 0) 
| chart count(errcap) as "errcap", count(errcont) as "errcont", count(errshare) as "errshare" over Time

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| eval counter=if(web > 12 AND TOTO=a, 1, 0)
| chart sum(counter)
0 Karma

jip31
Motivator

I have something very strange

if i add a clause like web_error_code and I assign it a value (404) in the example it works

| eval errshare =if(web_error_count >= 1 AND web_error_code=404 AND web_domain="sharepoint.com", 1, 0) 
| stats sum(errshare)

what is put "*" instead 404, I have no results!

what is wrong please?

 

| eval errshare =if(web_error_count >= 1 AND web_error_code="*" AND web_domain="sharepoint.com", 1, 0) 
| stats sum(errshare)

 

 

0 Karma

jip31
Motivator

I found, it's Wild card for eval and where is not "*" (it only works with search command)

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...