Events:
SEVERITY=5, INCIDENT=INC1929283737
Command
index="_internal" component=root OR component=Metrics OR eventtype=splunkd-log OR eventtype=splunkd-access SEVERITY=* INCIDENT=* | stats count(eval(component="Metrics")) as Metrics_count, count(eval(component="root")) as Root_count, count(eval(eventtype="splunkd-log")) as Splunkd_log_count, count(eval(eventtype="splunkd-access")) as Splunkd_access_count
I want to pull # of incident
and severity
, when component=root OR component=Metrics OR eventtype=splunkd-log OR eventtype=splunkd-access
.... basically it should show, what is severity
and incident
in table for root
:
root severity incident Metrics severity incident splunkd-log severity incident
Below is the appropriate command
index="_internal" component=root OR component=Metrics OR eventtype=splunkd-log OR eventtype=splunkd-access | stats count(eval(component="Metrics")) as Metrics_count, count(eval(component="root")) as Root_count, count(eval(eventtype="splunkd-log")) as Splunkd_log_count, count(eval(eventtype="splunkd-access")) as Splunkd_access_count by sourcetype, Incident
Below is the appropriate command
index="_internal" component=root OR component=Metrics OR eventtype=splunkd-log OR eventtype=splunkd-access | stats count(eval(component="Metrics")) as Metrics_count, count(eval(component="root")) as Root_count, count(eval(eventtype="splunkd-log")) as Splunkd_log_count, count(eval(eventtype="splunkd-access")) as Splunkd_access_count by sourcetype, Incident
The stats
command is multi-value-friendly so you can just do this:
index="_internal" AND (component IN("root", "Metrics") OR eventtype IN("splunkd-log", "splunkd-access")) AND SEVERITY=* AND INCIDENT=*
| eval component=mvappend(component, eventtype)
| stats count BY component SEVERITY INCIDENT
I have removed Incident and severity from command and checked, but its giving all fields of component not specific one.
index="_internal" AND (component IN("root", "Metrics") OR eventtype IN("splunkd-log", "splunkd-access"))
| eval component=mvappend(component, eventtype)
| stats count BY component
It should look exactly like your given example in the comment of one of the other answers. Show me what it is giving now, then show me what you would like it to show.
Hi woodcock, I got solution thanks for all your effort
index="_internal" component=root OR component=Metrics OR eventtype=splunkd-log OR eventtype=splunkd-access | stats count(eval(component="Metrics")) as Metrics_count, count(eval(component="root")) as Root_count, count(eval(eventtype="splunkd-log")) as Splunkd_log_count, count(eval(eventtype="splunkd-access")) as Splunkd_access_count by INCIDENT,SEVERITY
given command did not worked but below command worked with one issue
index=_internal component=Metrics OR component=root OR eventtype=splunkd-log OR eventtype=splunkd-access
| stats count(eval(component="root")) as root_count,count(eval(component="Metrics")) as "metrics_count", count(eval(eventtype="splunkd-log")) as splunkd-log_count, count(eval(eventtype="splunkd-access")) as splunkd-access-count
Not it should show incident related to component=root, eventtype=splunkd-log, eventtype=splunkd-access
, but it is showing some extra Incident which is not related to above fields
Are we speaking the same language?
You could try a search like this:
index="_internal" component=root OR component=Metrics OR eventtype=splunkd-log OR eventtype=splunkd-access SEVERITY=* INCIDENT=* | eval type=case(component="Metrics","Metrics",component="root","Root",eventtype="splunkd-log","Splunkd-Log",eventtype="splunkd-access","Splunkd-Access",1=1,"other") | stats count by type severity | xyseries type severity count
This would give you a table like such:
Severity 1 Severity 2 ....
Metrics 1 2
Root 5
Splunkd-Log 6 8
Splunkd-Access 3
Thanks for quick reply unfortunately your command did not worked. Below is my requirement
I have one field called components and under these i have value, root, splunkd_log, metrics and splunkd-access. I have field incident =INC12335 and severity=5 in events.
I want to find how many Incident with severity are raised when component=slunkd_log and component=metrics and component=splunkd-access.
Basically it should show how many Incident with severity is there for when component=slunkd_log
Basically it should show how many Incident with severity is there for when component=metrics
Basically it should show how many Incident with severity is there for when component=splunkd-access.
Basically it should show how many Incident with severity is there for when component=root
Okay, if you have a field component
in your events, you can use a this search command:
<your base search> | stats count by component, severity
This will give you a overview that will look somehow like this:
component severity count
splunkd_log 5 1
splunkd_log 2 4
metrics 5 2
metrics 4 3
To format this table in a sort of matrix-like view, you may use the xyseries
command:
| xyseries component severity count
[...]`
index="_internal" component=root OR component=Metrics OR eventtype=splunkd-log OR eventtype=splunkd-access SEVERITY=* INCIDENT=* | stats count by component, severity
index="_internal" component=root OR component=Metrics OR eventtype=splunkd-log OR eventtype=splunkd-access SEVERITY=* INCIDENT=* | xyseries component severity count
My requirement:
component Incident Severity count
root
Metrics
splunkd_log
splunkd-access
Wait, what sould be the result in the incident row? A count? An incident identifier?
Incident and severity is required ( count is not imp )
index="_internal" component=root OR component=Metrics OR eventtype=splunkd-log OR eventtype=splunkd-access SEVERITY= INCIDENT= | stats count by component, severity | xyseries component severity count
@rakesh44
Didn't get your proper requirement:
something like this can work for you:
index="_internal" component=root OR component=Metrics OR eventtype=splunkd-log OR eventtype=splunkd-access SEVERITY=* INCIDENT=* | stats values(SEVERITY), count(INCIDENT) by component
if you by both fields i.e. component and eventtype, then use coalesce to convert them into a single field and then use it in stats.
Thanks for quick reply unfortunately your command did not worked. Below is my requirement
I have one field called components and under these i have value, root, splunkd_log, metrics and splunkd-access. I have field incident =INC12335 and severity=5 in events.
I want to find how many Incident with severity are raised when component=slunkd_log and component=metrics and component=splunkd-access.
Basically it should show how many Incident with severity is there for when component=slunkd_log
Basically it should show how many Incident with severity is there for when component=metrics
Basically it should show how many Incident with severity is there for when component=splunkd-access.
Basically it should show how many Incident with severity is there for when component=root