Splunk Search

How to get multiple distinct counts for subset of logs in single query?

Damek
Engager

Hello, I am currently using the |append method for some queries, but was curious if there is a better way for me to be writing these? We are trying to create a single alert that could be triggered by various conditions such as total number of failures or total number of unique customer failures. The following is a simplified example of what I am currently doing and would like to improve if anyone knows how:

 

"base query stuff"
| stats count as TOTAL count(eval(SEVERITY="INFO")) as SUCCESS count(eval(SEVERITY="SOAP-FAULT")) as FAULT count(eval(SEVERITY!="INFO" AND SEVERITY!="SOAP-FAULT")) as ERROR
| append [search "base query stuff" SEVERITY="SOAP-FAULT" | stats dc(userId) as UNIQUE_FAULT]
| where UNIQUE_FAULT > 10 OR FAULT > 20 OR ERROR > 30

 

I would also love to be able to create a table with all of  this data (hence the success variable), which contains the totals of each and unique customer impacts of each! 

Labels (1)
Tags (4)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

In your first stats you can do the dc with this

dc(eval(if(SEVERITY="SOAP-FAULT", userId, null))) as UNIQUE_FAULT

 

View solution in original post

0 Karma

bowesmana
SplunkTrust
SplunkTrust

In your first stats you can do the dc with this

dc(eval(if(SEVERITY="SOAP-FAULT", userId, null))) as UNIQUE_FAULT

 

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@Damek 

If your base search is common for both searches then you can try this.

"base query stuff" 
| eval SOAP_FAULT_userId = if(SEVERITY=="SOAP-FAULT",userId,null())
| stats count as TOTAL count(eval(SEVERITY="INFO")) as SUCCESS count(eval(SEVERITY="SOAP-FAULT")) as FAULT count(eval(SEVERITY!="INFO" AND SEVERITY!="SOAP-FAULT")) as ERROR dc(SOAP_FAULT_userId) as Splunk

 

My Sample Search :

| makeresults 
| eval _raw="SEVERITY,userId
INFO,1
INFO,1
SOAP-FAULT,1
SOAP-FAULT,2
INFO1,1
INFO2,1
OTHER_INFO,1
INFO,1
SOAP-FAULT,1
"
| multikv forceheader=1 
| table SEVERITY userId
| rename comment as "upto this is sample data" 
| eval SOAP_FAULT_userId = if(SEVERITY=="SOAP-FAULT",userId,null())
| stats count as TOTAL count(eval(SEVERITY="INFO")) as SUCCESS count(eval(SEVERITY="SOAP-FAULT")) as FAULT count(eval(SEVERITY!="INFO" AND SEVERITY!="SOAP-FAULT")) as ERROR dc(SOAP_FAULT_userId) as Splunk

 

I hope this will help you.

Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.

 

0 Karma
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...