Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to create a search for stats count eval?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jip31
Motivator
03-18-2022
07:55 AM
hi
I need to use eval count in a search like this
| chart count(eval(web > 12))
But this count is right if I filter events préviously from a string
what I would like to do is something like this
| chart count(eval(web > 12 AND TOTO=a))
NB: I know I can filter before the chart command but its impossible here because my chart command stats a lot of different events...
How to do this please?
Rgds
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
03-18-2022
08:29 AM
| chart count(eval(web > 12 AND TOTO=a))
Something like this should work. Did you try it? Is "a" a field OR a string? If it's a string, try enclosing it in double quotes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
03-18-2022
08:29 AM
| chart count(eval(web > 12 AND TOTO=a))
Something like this should work. Did you try it? Is "a" a field OR a string? If it's a string, try enclosing it in double quotes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jip31
Motivator
03-18-2022
09:45 AM
I dont undesrtand
even if I change the web_dom value, the result is the same!
| eval errcap =if(web >= 1 AND web_dom="aa" AND web_url="*", 1, 0)
| eval errcont =if(we >= 1 AND web_dom="bb", 1, 0)
| eval errshare =if(web= 1 AND web_dom="cc", 1, 0)
| chart count(errcap) as "errcap", count(errcont) as "errcont", count(errshare) as "errshare" over Time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
03-18-2022
08:25 AM
| eval counter=if(web > 12 AND TOTO=a, 1, 0)
| chart sum(counter)- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jip31
Motivator
03-22-2022
01:55 AM
I have something very strange
if i add a clause like web_error_code and I assign it a value (404) in the example it works
| eval errshare =if(web_error_count >= 1 AND web_error_code=404 AND web_domain="sharepoint.com", 1, 0)
| stats sum(errshare)what is put "*" instead 404, I have no results!
what is wrong please?
| eval errshare =if(web_error_count >= 1 AND web_error_code="*" AND web_domain="sharepoint.com", 1, 0)
| stats sum(errshare)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jip31
Motivator
03-22-2022
09:23 AM
I found, it's Wild card for eval and where is not "*" (it only works with search command)
Get Updates on the Splunk Community!
Leveraging Detections from the Splunk Threat Research Team & Cisco Talos
Now On Demand
Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research ...
New in Splunk Observability Cloud: Automated Archiving for Unused Metrics
Automated Archival is a new capability within Metrics Management; which is a robust usage & cost optimization ...
Calling All Security Pros: Ready to Race Through Boston?
Hey Splunkers,
.conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...
