- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to create a search for stats count eval?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi
I need to use eval count in a search like this
| chart count(eval(web > 12))
But this count is right if I filter events préviously from a string
what I would like to do is something like this
| chart count(eval(web > 12 AND TOTO=a))
NB: I know I can filter before the chart command but its impossible here because my chart command stats a lot of different events...
How to do this please?
Rgds
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| chart count(eval(web > 12 AND TOTO=a))
Something like this should work. Did you try it? Is "a" a field OR a string? If it's a string, try enclosing it in double quotes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| chart count(eval(web > 12 AND TOTO=a))
Something like this should work. Did you try it? Is "a" a field OR a string? If it's a string, try enclosing it in double quotes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I dont undesrtand
even if I change the web_dom value, the result is the same!
| eval errcap =if(web >= 1 AND web_dom="aa" AND web_url="*", 1, 0)
| eval errcont =if(we >= 1 AND web_dom="bb", 1, 0)
| eval errshare =if(web= 1 AND web_dom="cc", 1, 0)
| chart count(errcap) as "errcap", count(errcont) as "errcont", count(errshare) as "errshare" over Time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| eval counter=if(web > 12 AND TOTO=a, 1, 0)
| chart sum(counter)- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have something very strange
if i add a clause like web_error_code and I assign it a value (404) in the example it works
| eval errshare =if(web_error_count >= 1 AND web_error_code=404 AND web_domain="sharepoint.com", 1, 0)
| stats sum(errshare)what is put "*" instead 404, I have no results!
what is wrong please?
| eval errshare =if(web_error_count >= 1 AND web_error_code="*" AND web_domain="sharepoint.com", 1, 0)
| stats sum(errshare)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found, it's Wild card for eval and where is not "*" (it only works with search command)
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
