Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a search for stats count eval?

jip31
Motivator
‎03-18-2022 07:55 AM

hi

I need to use eval count in a search like this

 

 

 

| chart count(eval(web > 12))

 

 

 

But this count is right if I filter events préviously from a string

what I would like to do is something like this

 

 

 

| chart count(eval(web > 12 AND TOTO=a))

 

 

 

NB: I know I can filter before the chart command but its impossible here because my chart command stats a lot of different events...

How to do this please?

Rgds

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-18-2022 08:29 AM 
| chart count(eval(web > 12 AND TOTO=a))

Something like this should work. Did you try it? Is "a" a field OR a string?  If it's a string, try enclosing it in double quotes.

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-18-2022 08:29 AM 
| chart count(eval(web > 12 AND TOTO=a))

Something like this should work. Did you try it? Is "a" a field OR a string?  If it's a string, try enclosing it in double quotes.

 

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎03-18-2022 09:45 AM

I dont undesrtand

even if I change the web_dom value, the result is the same!

| eval errcap =if(web >= 1 AND web_dom="aa" AND web_url="*", 1, 0) 
| eval errcont =if(we >= 1 AND web_dom="bb", 1, 0)  
| eval errshare =if(web= 1 AND web_dom="cc", 1, 0) 
| chart count(errcap) as "errcap", count(errcont) as "errcont", count(errshare) as "errshare" over Time

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-18-2022 08:25 AM 
| eval counter=if(web > 12 AND TOTO=a, 1, 0)
| chart sum(counter)
0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎03-22-2022 01:55 AM

I have something very strange

if i add a clause like web_error_code and I assign it a value (404) in the example it works

| eval errshare =if(web_error_count >= 1 AND web_error_code=404 AND web_domain="sharepoint.com", 1, 0) 
| stats sum(errshare)

what is put "*" instead 404, I have no results!

what is wrong please?

 

| eval errshare =if(web_error_count >= 1 AND web_error_code="*" AND web_domain="sharepoint.com", 1, 0) 
| stats sum(errshare)

 

 

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎03-22-2022 09:23 AM

I found, it's Wild card for eval and where is not "*" (it only works with search command)

0 Karma
Reply
Get Updates on the Splunk Community!

Tips & Tricks When Using Ingest Actions

Tune in to learn about:Large scale architecture when using Ingest ActionsRegEx performance considerations ...

Announcing Our Splunk MVPs

We are excited to announce the first cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...