Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my search to get the counts and eval results for each value of a certain field?

Catie_Carmody
Engager
‎04-18-2016 03:58 PM

The below returns the correct results, but I only get the RequestOne, RequestTwo, and meetscriteria fields when field1= test:

sourcetype=application_log field1= test | stats count(eval(match(_raw, "Request 1"))) AS "RequestOne", count(eval(match(_raw, "Request 2"))) AS "RequestTwo" | eval meetscriteria = if(('Request1' >= 100 AND 'Request2' > 0), "OK", "No")

I have many fields for field1 though and want to capture the counts and "meetscriteria" information for each value of field1. How can I capture this information?

I have also saved these using eventtypes and tags, but you can't group on these? Do I need to use a lookup table or a join?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Catie_Carmody
Engager
‎04-18-2016 06:06 PM

I resolved it by adding a "by field1" in the second pipe and removing the field1 criteria from the initial search:

sourcetype=application_log | stats count(eval(match(_raw, "Request 1"))) AS "RequestOne", count(eval(match(_raw, "Request 2"))) AS "RequestTwo" by field1| eval meetscriteria = if(('Request1' >= 100 AND 'Request2' > 0), "OK", "No")

I had originally created eventtypes for both "Request 1" and "Request 2", but this seemed limited such that I couldn't run eval against eventtypes or do groupings.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Catie_Carmody
Engager
‎04-18-2016 06:06 PM

I resolved it by adding a "by field1" in the second pipe and removing the field1 criteria from the initial search:

sourcetype=application_log | stats count(eval(match(_raw, "Request 1"))) AS "RequestOne", count(eval(match(_raw, "Request 2"))) AS "RequestTwo" by field1| eval meetscriteria = if(('Request1' >= 100 AND 'Request2' > 0), "OK", "No")

I had originally created eventtypes for both "Request 1" and "Request 2", but this seemed limited such that I couldn't run eval against eventtypes or do groupings.

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎04-18-2016 04:59 PM

Change field1=test to field1=* or remove the field1= criteria altogether.

0 Karma
Reply
Get Updates on the Splunk Community!

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Automatic Discovery Part 2: Setup and Best Practices

In Part 1 of this series, we covered what Automatic Discovery is and why it’s critical for observability at ...