Splunk Search

How to find the number of fields that consists "Passed" and also the Total number of fields available.

vinod743374
Communicator

This is my sample data. i need the total "passed" 

These are the Headers, Node Name _time, Anti-Spoofing,  Rule Banner , Rule Http Rule Palo alto Username SSH Timeout Ssh Access Tacacs Telnet Rule console port config ntp server Result

NDL-ALM-GSD-BUS-FW-012021-06-24 17:27:35PassedPassedPassedPassedPassedPassedPassedPassedPassedPassedPassed
USA-DNV-CUS-BUS-FW-022021-06-24 17:27:35PassedPassedPassedPassedPassedPassedPassedPassedPassedPassedPassed
Labels (3)
0 Karma
1 Solution

vinod743374
Communicator

This is the _raw data i filtered like this. i want to know the count of the total "passed"

 

Dns Rule=Passed, HOSTNAME=Passed, username=Passed, ssh Timeout rule=Passed snmp rule=Passed, udld Rule=Passed, Enable Password=Passed, Snmp config rule=Passed, Line Vty 0 4 Timeout & acl=Passed, Line Con 0 timeout=Passed, Service Policy=Passed, Https Rule=Passed, Line Con 0=Passed, Line aux 0=Passed, Don't Username=Passed, Service Password Encryption=Passed, Aaa Server-GE=Passed, Line Vty 5 15=Passed, Image Verification=Passed, Bootp Server=Passed,Line Vty 0 4=Passed,

View solution in original post

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@vinod743374 

Can you please share sample _raw events and expected OP from that event?

0 Karma

vinod743374
Communicator

This is the _raw data i filtered like this. i want to know the count of the total "passed"

 

Dns Rule=Passed, HOSTNAME=Passed, username=Passed, ssh Timeout rule=Passed snmp rule=Passed, udld Rule=Passed, Enable Password=Passed, Snmp config rule=Passed, Line Vty 0 4 Timeout & acl=Passed, Line Con 0 timeout=Passed, Service Policy=Passed, Https Rule=Passed, Line Con 0=Passed, Line aux 0=Passed, Don't Username=Passed, Service Password Encryption=Passed, Aaa Server-GE=Passed, Line Vty 5 15=Passed, Image Verification=Passed, Bootp Server=Passed,Line Vty 0 4=Passed,

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@vinod743374 

Can you please try this?

YOUR_SEARCH 
| rex field=_raw "=(?<a>Passed)" max_match=0 | eval count=mvcount(a) | fields - a

 

My Sample Search :

| makeresults | eval _raw="Dns Rule=Passed, HOSTNAME=Passed, username=Passed, ssh Timeout rule=Passed snmp rule=Passed, udld Rule=Passed, Enable Password=Passed, Snmp config rule=Passed, Line Vty 0 4 Timeout & acl=Passed, Line Con 0 timeout=Passed, Service Policy=Passed, Https Rule=Passed, Line Con 0=Passed, Line aux 0=Passed, Don't Username=Passed, Service Password Encryption=Passed, Aaa Server-GE=Passed, Line Vty 5 15=Passed, Image Verification=Passed, Bootp Server=Passed,Line Vty 0 4=Passed" 
|rename comment as "Upto Now is sample data only" 
| rex field=_raw "=(?<a>Passed)" max_match=0 | eval count=mvcount(a)  | fields - a


 Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma

vinod743374
Communicator

Thank you so much ,
its is working .
but if in the place of Passed,  i have some Failed message like :

Critical - Pattern 'disable-http yes' was not found Pattern 'https yes' was not found

 

Can we count these Error Failed messages also ???
kindly help me with this also.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@vinod743374 

Can you please try this?

YOUR_SEARCH
| rex field=_raw "=(?<a>Passed)" max_match=0 | eval passed_count=mvcount(a) | fields - a
| rex field=_raw "=(?<a>Failed)" max_match=0 | eval failed_count=mvcount(a) | fields - a

 

My Sample Search :

| makeresults | eval _raw="Dns Rule=Passed, HOSTNAME=Passed, username=Passed, ssh Timeout rule=Passed snmp rule=Passed, udld Rule=Passed, Enable Password=Passed, Snmp config rule=Passed, Line Vty 0 4 Timeout & acl=Passed, Line Con 0 timeout=Passed, Service Policy=Passed, Https Rule=Passed, Line Con 0=Passed, Line aux 0=Passed, Don't Username=Passed, Service Password Encryption=Passed, Aaa Server-GE=Passed, Line Vty 5 15=Passed, Image Verification=Passed, Bootp Server=Passed,Line Vty 0 4=Passed, xyz=Failed" 
|rename comment as "Upto Now is sample data only" 
| rex field=_raw "=(?<a>Passed)" max_match=0 | eval passed_count=mvcount(a) | fields - a
| rex field=_raw "=(?<a>Failed)" max_match=0 | eval failed_count=mvcount(a) | fields - a

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma

vinod743374
Communicator

Its not gonna workout ,
because there is no such "Failed" in the _raw 

let me share you the _raw event of that .  i just bold the failed message.

Dns Rule=Passed, HOSTNAME=Passed, username=Passed, ssh Timeout rule=Passed, Node Name="HUN-BUD-GE-COR-SW-01_stack.ROMA.AD", snmp rule=Passed, udld Rule=Passed, Enable Password=Passed, Snmp config rule=Passed, Line Vty 0 4 Timeout & acl=Passed, Line Con 0 timeout=Passed, Service Policy=Passed, Https Rule=Passed, Line Con 0=Passed, Line aux 0=Passed, Node Ip Address="10.198.4.1", Don't Username=Passed, Service Password Encryption=Passed, AaaServer-GE="Critical - Pattern 'aaa new-model' was found On line 28 'aaa new-model' Pattern 'aaa authentication login default group tacacs' was not found Pattern 'aaa authorization exec default group tacacs' was not found Pattern 'aaa accounting exec default start-stop group tacacs' was not found Pattern 'tacacs-server host 10.198.60.40' was not found Pattern 'tacacs-server host 10.198.40.40' was not found Pattern 'tacacs-server directed-request' was not found Pattern 'aaa authentication enable default group tacacs' was not found Pattern 'aaa accounting commands 15 default start-stop group tacacs' was not found", Line Vty 5 15=Passed, Image Verification=Passed, Bootp Server=Passed, Config Title="4/26/2021 01:03 PM - Running", Line Vty 0 4=Passed, Logging Rule=Passed, Banner Rule=Passed, Config Type=Running, Finger Rule=Passed, Http Server=Passed, Name Server=Passed, Pad Service=Passed,

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@vinod743374 

Is that specific pattern that we can say Failed for this?

AaaServer-GE="Critical - Pattern 'aaa new-model' was found On line 28 'aaa new-model' Pattern 'aaa authentication login default group tacacs' was not found Pattern 'aaa authorization exec default group tacacs' was not found Pattern 'aaa accounting exec default start-stop group tacacs' was not found Pattern 'tacacs-server host 10.198.60.40' was not found Pattern 'tacacs-server host 10.198.40.40' was not found Pattern 'tacacs-server directed-request' was not found Pattern 'aaa authentication enable default group tacacs' was not found Pattern 'aaa accounting commands 15 default start-stop group tacacs' was not found"

 

0 Karma

vinod743374
Communicator

Yes,
the Content may changes for different Events.

"Critical - "  is common in all the things the remaining  gets changed.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@vinod743374 

Can you please try this?

YOUR_SEARCH
| rex field=_raw "=(?<a>Passed)" max_match=0 
| rex field=_raw "=\"(?<b>Critical\s-) " max_match=0 
| eval passed_count=mvcount(a), failed_count=mvcount(b) | fields - a,b

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma

vinod743374
Communicator

Thank you so much it is working.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Glad to help you @vinod743374 

But you supposed to accept my last answer  🙂  

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...