Splunk Search

How to create a search for stats count eval?

jip31
Motivator

hi

I need to use eval count in a search like this

 

 

 

| chart count(eval(web > 12)) 

 

 

 

But this count is right if I filter events préviously from a string

what I would like to do is something like this

 

 

 

| chart count(eval(web > 12 AND TOTO=a)) 

 

 

 

NB: I know I can filter before the chart command but its impossible here because my chart command stats a lot of different events...

How to do this please?

Rgds

Labels (3)
0 Karma
1 Solution

somesoni2
Revered Legend
| chart count(eval(web > 12 AND TOTO=a)) 

Something like this should work. Did you try it? Is "a" a field OR a string?  If it's a string, try enclosing it in double quotes.

 

View solution in original post

0 Karma

somesoni2
Revered Legend
| chart count(eval(web > 12 AND TOTO=a)) 

Something like this should work. Did you try it? Is "a" a field OR a string?  If it's a string, try enclosing it in double quotes.

 

0 Karma

jip31
Motivator

I dont undesrtand

even if I change the web_dom value, the result is the same!

| eval errcap =if(web >= 1 AND web_dom="aa" AND web_url="*", 1, 0) 
| eval errcont =if(we >= 1 AND web_dom="bb", 1, 0)  
| eval errshare =if(web= 1 AND web_dom="cc", 1, 0) 
| chart count(errcap) as "errcap", count(errcont) as "errcont", count(errshare) as "errshare" over Time

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| eval counter=if(web > 12 AND TOTO=a, 1, 0)
| chart sum(counter)
0 Karma

jip31
Motivator

I have something very strange

if i add a clause like web_error_code and I assign it a value (404) in the example it works

| eval errshare =if(web_error_count >= 1 AND web_error_code=404 AND web_domain="sharepoint.com", 1, 0) 
| stats sum(errshare)

what is put "*" instead 404, I have no results!

what is wrong please?

 

| eval errshare =if(web_error_count >= 1 AND web_error_code="*" AND web_domain="sharepoint.com", 1, 0) 
| stats sum(errshare)

 

 

0 Karma

jip31
Motivator

I found, it's Wild card for eval and where is not "*" (it only works with search command)

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...