Splunk Search

How to create a search for stats count eval?

jip31
Motivator

hi

I need to use eval count in a search like this

 

 

 

| chart count(eval(web > 12)) 

 

 

 

But this count is right if I filter events préviously from a string

what I would like to do is something like this

 

 

 

| chart count(eval(web > 12 AND TOTO=a)) 

 

 

 

NB: I know I can filter before the chart command but its impossible here because my chart command stats a lot of different events...

How to do this please?

Rgds

Labels (2)
0 Karma
1 Solution

somesoni2
Revered Legend
| chart count(eval(web > 12 AND TOTO=a)) 

Something like this should work. Did you try it? Is "a" a field OR a string?  If it's a string, try enclosing it in double quotes.

 

View solution in original post

0 Karma

somesoni2
Revered Legend
| chart count(eval(web > 12 AND TOTO=a)) 

Something like this should work. Did you try it? Is "a" a field OR a string?  If it's a string, try enclosing it in double quotes.

 

0 Karma

jip31
Motivator

I dont undesrtand

even if I change the web_dom value, the result is the same!

| eval errcap =if(web >= 1 AND web_dom="aa" AND web_url="*", 1, 0) 
| eval errcont =if(we >= 1 AND web_dom="bb", 1, 0)  
| eval errshare =if(web= 1 AND web_dom="cc", 1, 0) 
| chart count(errcap) as "errcap", count(errcont) as "errcont", count(errshare) as "errshare" over Time

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| eval counter=if(web > 12 AND TOTO=a, 1, 0)
| chart sum(counter)
0 Karma

jip31
Motivator

I have something very strange

if i add a clause like web_error_code and I assign it a value (404) in the example it works

| eval errshare =if(web_error_count >= 1 AND web_error_code=404 AND web_domain="sharepoint.com", 1, 0) 
| stats sum(errshare)

what is put "*" instead 404, I have no results!

what is wrong please?

 

| eval errshare =if(web_error_count >= 1 AND web_error_code="*" AND web_domain="sharepoint.com", 1, 0) 
| stats sum(errshare)

 

 

0 Karma

jip31
Motivator

I found, it's Wild card for eval and where is not "*" (it only works with search command)

0 Karma
Get Updates on the Splunk Community!

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

  Now On Demand  Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research ...

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Automated Archival is a new capability within Metrics Management; which is a robust usage & cost optimization ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...