Splunk Search

How to create a search for stats count eval?

jip31
Motivator

hi

I need to use eval count in a search like this

 

 

 

| chart count(eval(web > 12)) 

 

 

 

But this count is right if I filter events préviously from a string

what I would like to do is something like this

 

 

 

| chart count(eval(web > 12 AND TOTO=a)) 

 

 

 

NB: I know I can filter before the chart command but its impossible here because my chart command stats a lot of different events...

How to do this please?

Rgds

Labels (3)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust
| chart count(eval(web > 12 AND TOTO=a)) 

Something like this should work. Did you try it? Is "a" a field OR a string?  If it's a string, try enclosing it in double quotes.

 

View solution in original post

0 Karma

somesoni2
SplunkTrust
SplunkTrust
| chart count(eval(web > 12 AND TOTO=a)) 

Something like this should work. Did you try it? Is "a" a field OR a string?  If it's a string, try enclosing it in double quotes.

 

0 Karma

jip31
Motivator

I dont undesrtand

even if I change the web_dom value, the result is the same!

| eval errcap =if(web >= 1 AND web_dom="aa" AND web_url="*", 1, 0) 
| eval errcont =if(we >= 1 AND web_dom="bb", 1, 0)  
| eval errshare =if(web= 1 AND web_dom="cc", 1, 0) 
| chart count(errcap) as "errcap", count(errcont) as "errcont", count(errshare) as "errshare" over Time

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| eval counter=if(web > 12 AND TOTO=a, 1, 0)
| chart sum(counter)
0 Karma

jip31
Motivator

I have something very strange

if i add a clause like web_error_code and I assign it a value (404) in the example it works

| eval errshare =if(web_error_count >= 1 AND web_error_code=404 AND web_domain="sharepoint.com", 1, 0) 
| stats sum(errshare)

what is put "*" instead 404, I have no results!

what is wrong please?

 

| eval errshare =if(web_error_count >= 1 AND web_error_code="*" AND web_domain="sharepoint.com", 1, 0) 
| stats sum(errshare)

 

 

0 Karma

jip31
Motivator

I found, it's Wild card for eval and where is not "*" (it only works with search command)

0 Karma
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...