Splunk Search

How to find count for each field value?

rakesh44
Communicator

Events:

SEVERITY=5, INCIDENT=INC1929283737

Command

index="_internal" component=root OR component=Metrics OR eventtype=splunkd-log OR eventtype=splunkd-access SEVERITY=* INCIDENT=*  | stats count(eval(component="Metrics")) as Metrics_count, count(eval(component="root")) as Root_count, count(eval(eventtype="splunkd-log")) as Splunkd_log_count, count(eval(eventtype="splunkd-access")) as Splunkd_access_count

I want to pull # of incident and severity, when component=root OR component=Metrics OR eventtype=splunkd-log OR eventtype=splunkd-access .... basically it should show, what is severity and incident in table for root:

root severity incident  Metrics severity incident splunkd-log severity incident
Tags (1)
0 Karma
1 Solution

rakesh44
Communicator

Below is the appropriate command

index="_internal" component=root OR component=Metrics OR eventtype=splunkd-log OR eventtype=splunkd-access | stats count(eval(component="Metrics")) as Metrics_count, count(eval(component="root")) as Root_count, count(eval(eventtype="splunkd-log")) as Splunkd_log_count, count(eval(eventtype="splunkd-access")) as Splunkd_access_count by sourcetype, Incidentalt text

View solution in original post

0 Karma

rakesh44
Communicator

Below is the appropriate command

index="_internal" component=root OR component=Metrics OR eventtype=splunkd-log OR eventtype=splunkd-access | stats count(eval(component="Metrics")) as Metrics_count, count(eval(component="root")) as Root_count, count(eval(eventtype="splunkd-log")) as Splunkd_log_count, count(eval(eventtype="splunkd-access")) as Splunkd_access_count by sourcetype, Incidentalt text

0 Karma

woodcock
Esteemed Legend

The stats command is multi-value-friendly so you can just do this:

index="_internal" AND (component IN("root", "Metrics") OR eventtype IN("splunkd-log", "splunkd-access")) AND SEVERITY=* AND INCIDENT=*
| eval component=mvappend(component, eventtype)
| stats count BY component SEVERITY INCIDENT
0 Karma

rakesh44
Communicator

I have removed Incident and severity from command and checked, but its giving all fields of component not specific one.

index="_internal" AND (component IN("root", "Metrics") OR eventtype IN("splunkd-log", "splunkd-access"))
| eval component=mvappend(component, eventtype)
| stats count BY component
0 Karma

woodcock
Esteemed Legend

It should look exactly like your given example in the comment of one of the other answers. Show me what it is giving now, then show me what you would like it to show.

0 Karma

rakesh44
Communicator

Hi woodcock, I got solution thanks for all your effort

index="_internal" component=root OR component=Metrics OR eventtype=splunkd-log OR eventtype=splunkd-access | stats count(eval(component="Metrics")) as Metrics_count, count(eval(component="root")) as Root_count, count(eval(eventtype="splunkd-log")) as Splunkd_log_count, count(eval(eventtype="splunkd-access")) as Splunkd_access_count by INCIDENT,SEVERITY

0 Karma

rakesh44
Communicator

given command did not worked but below command worked with one issue

index=_internal component=Metrics OR component=root OR eventtype=splunkd-log OR eventtype=splunkd-access
| stats count(eval(component="root")) as root_count,count(eval(component="Metrics")) as "metrics_count", count(eval(eventtype="splunkd-log")) as splunkd-log_count, count(eval(eventtype="splunkd-access")) as splunkd-access-count

Not it should show incident related to component=root, eventtype=splunkd-log, eventtype=splunkd-access, but it is showing some extra Incident which is not related to above fields

0 Karma

woodcock
Esteemed Legend

Are we speaking the same language?

0 Karma

DMohn
Motivator

You could try a search like this:

index="_internal" component=root OR component=Metrics OR eventtype=splunkd-log OR eventtype=splunkd-access SEVERITY=* INCIDENT=*  | eval type=case(component="Metrics","Metrics",component="root","Root",eventtype="splunkd-log","Splunkd-Log",eventtype="splunkd-access","Splunkd-Access",1=1,"other") | stats count by type severity | xyseries type severity count

This would give you a table like such:

                  Severity 1      Severity 2    ....
Metrics           1               2
Root              5
Splunkd-Log       6               8
Splunkd-Access                    3
0 Karma

rakesh44
Communicator

Thanks for quick reply unfortunately your command did not worked. Below is my requirement

I have one field called components and under these i have value, root, splunkd_log, metrics and splunkd-access. I have field incident =INC12335 and severity=5 in events.

I want to find how many Incident with severity are raised when component=slunkd_log and component=metrics and component=splunkd-access.

Basically it should show how many Incident with severity is there for when component=slunkd_log

Basically it should show how many Incident with severity is there for when component=metrics

Basically it should show how many Incident with severity is there for when component=splunkd-access.

Basically it should show how many Incident with severity is there for when component=root

0 Karma

DMohn
Motivator

Okay, if you have a field component in your events, you can use a this search command:

<your base search> | stats count by component, severity

This will give you a overview that will look somehow like this:

component    severity    count   
splunkd_log  5           1
splunkd_log  2           4
metrics      5           2
metrics      4           3

To format this table in a sort of matrix-like view, you may use the xyseries command:

| xyseries component severity count

[...]`

0 Karma

rakesh44
Communicator

index="_internal" component=root OR component=Metrics OR eventtype=splunkd-log OR eventtype=splunkd-access SEVERITY=* INCIDENT=* | stats count by component, severity

index="_internal" component=root OR component=Metrics OR eventtype=splunkd-log OR eventtype=splunkd-access SEVERITY=* INCIDENT=* | xyseries component severity count

0 Karma

rakesh44
Communicator
My requirement:

component         Incident          Severity               count
root
Metrics
splunkd_log 
splunkd-access
0 Karma

DMohn
Motivator

Wait, what sould be the result in the incident row? A count? An incident identifier?

0 Karma

rakesh44
Communicator

Incident and severity is required ( count is not imp )

0 Karma

DMohn
Motivator

index="_internal" component=root OR component=Metrics OR eventtype=splunkd-log OR eventtype=splunkd-access SEVERITY= INCIDENT= | stats count by component, severity | xyseries component severity count

0 Karma

vishaltaneja070
Motivator

@rakesh44
Didn't get your proper requirement:

something like this can work for you:
index="_internal" component=root OR component=Metrics OR eventtype=splunkd-log OR eventtype=splunkd-access SEVERITY=* INCIDENT=* | stats values(SEVERITY), count(INCIDENT) by component

if you by both fields i.e. component and eventtype, then use coalesce to convert them into a single field and then use it in stats.

0 Karma

rakesh44
Communicator

Thanks for quick reply unfortunately your command did not worked. Below is my requirement

I have one field called components and under these i have value, root, splunkd_log, metrics and splunkd-access. I have field incident =INC12335 and severity=5 in events.

I want to find how many Incident with severity are raised when component=slunkd_log and component=metrics and component=splunkd-access.

Basically it should show how many Incident with severity is there for when component=slunkd_log

Basically it should show how many Incident with severity is there for when component=metrics

Basically it should show how many Incident with severity is there for when component=splunkd-access.

Basically it should show how many Incident with severity is there for when component=root

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...