Solved: Re: How to find count for each field value?

rakesh44 · ‎04-24-2019

Events:

SEVERITY=5, INCIDENT=INC1929283737

Command

index="_internal" component=root OR component=Metrics OR eventtype=splunkd-log OR eventtype=splunkd-access SEVERITY=* INCIDENT=*  | stats count(eval(component="Metrics")) as Metrics_count, count(eval(component="root")) as Root_count, count(eval(eventtype="splunkd-log")) as Splunkd_log_count, count(eval(eventtype="splunkd-access")) as Splunkd_access_count

I want to pull # of incident and severity, when component=root OR component=Metrics OR eventtype=splunkd-log OR eventtype=splunkd-access .... basically it should show, what is severity and incident in table for root:

root severity incident  Metrics severity incident splunkd-log severity incident

rakesh44 · ‎04-25-2019

Below is the appropriate command

index="_internal" component=root OR component=Metrics OR eventtype=splunkd-log OR eventtype=splunkd-access | stats count(eval(component="Metrics")) as Metrics_count, count(eval(component="root")) as Root_count, count(eval(eventtype="splunkd-log")) as Splunkd_log_count, count(eval(eventtype="splunkd-access")) as Splunkd_access_count by sourcetype, Incident

View solution in original post

rakesh44 · ‎04-25-2019

Below is the appropriate command

index="_internal" component=root OR component=Metrics OR eventtype=splunkd-log OR eventtype=splunkd-access | stats count(eval(component="Metrics")) as Metrics_count, count(eval(component="root")) as Root_count, count(eval(eventtype="splunkd-log")) as Splunkd_log_count, count(eval(eventtype="splunkd-access")) as Splunkd_access_count by sourcetype, Incident

woodcock · ‎04-25-2019

The stats command is multi-value-friendly so you can just do this:

index="_internal" AND (component IN("root", "Metrics") OR eventtype IN("splunkd-log", "splunkd-access")) AND SEVERITY=* AND INCIDENT=*
| eval component=mvappend(component, eventtype)
| stats count BY component SEVERITY INCIDENT

rakesh44 · ‎04-25-2019

I have removed Incident and severity from command and checked, but its giving all fields of component not specific one.

index="_internal" AND (component IN("root", "Metrics") OR eventtype IN("splunkd-log", "splunkd-access"))
| eval component=mvappend(component, eventtype)
| stats count BY component

woodcock · ‎04-25-2019

It should look exactly like your given example in the comment of one of the other answers. Show me what it is giving now, then show me what you would like it to show.

rakesh44 · ‎04-25-2019

Hi woodcock, I got solution thanks for all your effort

index="_internal" component=root OR component=Metrics OR eventtype=splunkd-log OR eventtype=splunkd-access | stats count(eval(component="Metrics")) as Metrics_count, count(eval(component="root")) as Root_count, count(eval(eventtype="splunkd-log")) as Splunkd_log_count, count(eval(eventtype="splunkd-access")) as Splunkd_access_count by INCIDENT,SEVERITY

rakesh44 · ‎04-25-2019

given command did not worked but below command worked with one issue

index=_internal component=Metrics OR component=root OR eventtype=splunkd-log OR eventtype=splunkd-access
| stats count(eval(component="root")) as root_count,count(eval(component="Metrics")) as "metrics_count", count(eval(eventtype="splunkd-log")) as splunkd-log_count, count(eval(eventtype="splunkd-access")) as splunkd-access-count

Not it should show incident related to component=root, eventtype=splunkd-log, eventtype=splunkd-access, but it is showing some extra Incident which is not related to above fields

woodcock · ‎04-25-2019

Are we speaking the same language?

DMohn · ‎04-25-2019

You could try a search like this:

index="_internal" component=root OR component=Metrics OR eventtype=splunkd-log OR eventtype=splunkd-access SEVERITY=* INCIDENT=*  | eval type=case(component="Metrics","Metrics",component="root","Root",eventtype="splunkd-log","Splunkd-Log",eventtype="splunkd-access","Splunkd-Access",1=1,"other") | stats count by type severity | xyseries type severity count

This would give you a table like such:

                  Severity 1      Severity 2    ....
Metrics           1               2
Root              5
Splunkd-Log       6               8
Splunkd-Access                    3

rakesh44 · ‎04-25-2019

Thanks for quick reply unfortunately your command did not worked. Below is my requirement

I have one field called components and under these i have value, root, splunkd_log, metrics and splunkd-access. I have field incident =INC12335 and severity=5 in events.

I want to find how many Incident with severity are raised when component=slunkd_log and component=metrics and component=splunkd-access.

Basically it should show how many Incident with severity is there for when component=slunkd_log

Basically it should show how many Incident with severity is there for when component=metrics

Basically it should show how many Incident with severity is there for when component=splunkd-access.

Basically it should show how many Incident with severity is there for when component=root

DMohn · ‎04-25-2019

Okay, if you have a field component in your events, you can use a this search command:

<your base search> | stats count by component, severity

This will give you a overview that will look somehow like this:

component    severity    count   
splunkd_log  5           1
splunkd_log  2           4
metrics      5           2
metrics      4           3

To format this table in a sort of matrix-like view, you may use the xyseries command:

| xyseries component severity count

[...]`

rakesh44 · ‎04-25-2019

index="_internal" component=root OR component=Metrics OR eventtype=splunkd-log OR eventtype=splunkd-access SEVERITY=* INCIDENT=* | stats count by component, severity

index="_internal" component=root OR component=Metrics OR eventtype=splunkd-log OR eventtype=splunkd-access SEVERITY=* INCIDENT=* | xyseries component severity count

rakesh44 · ‎04-25-2019

My requirement:

component         Incident          Severity               count
root
Metrics
splunkd_log 
splunkd-access

DMohn · ‎04-25-2019

Wait, what sould be the result in the incident row? A count? An incident identifier?

rakesh44 · ‎04-25-2019

Incident and severity is required ( count is not imp )

DMohn · ‎04-25-2019

index="_internal" component=root OR component=Metrics OR eventtype=splunkd-log OR eventtype=splunkd-access SEVERITY= INCIDENT= | stats count by component, severity | xyseries component severity count

vishaltaneja070 · ‎04-25-2019

@rakesh44
Didn't get your proper requirement:

something like this can work for you:
index="_internal" component=root OR component=Metrics OR eventtype=splunkd-log OR eventtype=splunkd-access SEVERITY=* INCIDENT=* | stats values(SEVERITY), count(INCIDENT) by component

if you by both fields i.e. component and eventtype, then use coalesce to convert them into a single field and then use it in stats.

rakesh44 · ‎04-25-2019

Thanks for quick reply unfortunately your command did not worked. Below is my requirement

I have one field called components and under these i have value, root, splunkd_log, metrics and splunkd-access. I have field incident =INC12335 and severity=5 in events.

I want to find how many Incident with severity are raised when component=slunkd_log and component=metrics and component=splunkd-access.

Basically it should show how many Incident with severity is there for when component=slunkd_log

Basically it should show how many Incident with severity is there for when component=metrics

Basically it should show how many Incident with severity is there for when component=splunkd-access.

Basically it should show how many Incident with severity is there for when component=root

How to find count for each field value?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation