Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to create a search for stats count eval?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi
I need to use eval count in a search like this
| chart count(eval(web > 12))
But this count is right if I filter events préviously from a string
what I would like to do is something like this
| chart count(eval(web > 12 AND TOTO=a))
NB: I know I can filter before the chart command but its impossible here because my chart command stats a lot of different events...
How to do this please?
Rgds
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| chart count(eval(web > 12 AND TOTO=a))
Something like this should work. Did you try it? Is "a" a field OR a string? If it's a string, try enclosing it in double quotes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| chart count(eval(web > 12 AND TOTO=a))
Something like this should work. Did you try it? Is "a" a field OR a string? If it's a string, try enclosing it in double quotes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I dont undesrtand
even if I change the web_dom value, the result is the same!
| eval errcap =if(web >= 1 AND web_dom="aa" AND web_url="*", 1, 0)
| eval errcont =if(we >= 1 AND web_dom="bb", 1, 0)
| eval errshare =if(web= 1 AND web_dom="cc", 1, 0)
| chart count(errcap) as "errcap", count(errcont) as "errcont", count(errshare) as "errshare" over Time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| eval counter=if(web > 12 AND TOTO=a, 1, 0)
| chart sum(counter)- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have something very strange
if i add a clause like web_error_code and I assign it a value (404) in the example it works
| eval errshare =if(web_error_count >= 1 AND web_error_code=404 AND web_domain="sharepoint.com", 1, 0)
| stats sum(errshare)what is put "*" instead 404, I have no results!
what is wrong please?
| eval errshare =if(web_error_count >= 1 AND web_error_code="*" AND web_domain="sharepoint.com", 1, 0)
| stats sum(errshare)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found, it's Wild card for eval and where is not "*" (it only works with search command)
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
