Splunk Search

How to return count column in the existing search?

super_edition
Path Finder

Hello, 

I have below search query

 

 

index=my_index openshift_cluster="cluster009" sourcetype=openshift_logs openshift_namespace=my_ns 
("POST /online-shopping/debt_cart/v1 HTTP" 
OR "GET /online-shopping/debt_cart/v1/* HTTP"
OR "GET *online-shopping*debt_cart*productType* HTTP")
| eval Operations=case(
searchmatch("POST /online-shopping/debt_cart/v1 HTTP"),"create_cart",
searchmatch("GET /online-shopping/debt_cart/v1/*/summary HTTP"),"cart_summary",
searchmatch("GET *online-shopping*debt_cart*productType* HTTP"),"cart_productType",
match(_raw, "GET /online-shopping/debt_cart/v1/[^/ ?]+\sHTTP"),"getDebtCart")
| stats avg(processDuration) as average perc90(processDuration) as response90 by Operations 
| eval average=round(average,2),response90=round(response90,2)

 

 

which displays the data as below:

Operations average response90
create_cart 250 380
cart_summary 240 330
cart_productType 210 321
getDebtCart 260 365

 

Now I want to add the count of url pattern against each operation as below. I tried adding the count as part of stats. It is not working. 

Not sure how do I proceed.

Operations count average response90
create_cart 1919 250 380
cart_summary 2001 240 330
cart_productType 1971 210 321
getDebtCart 8162 260

365

Labels (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Please share the SPL you tried (which isn't working) and explain what results you did get?

View solution in original post

0 Karma

super_edition
Path Finder

@ITWhisperer  there was an issue in my search parameter of my SPL which I fixed. it is now returning count as expected. Apart from that no change in the stats part of the query

| stats count as hits avg(processDuration) as average perc90(processDuration) as response90 by Operations 

Thank you once again

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Please share the SPL you tried (which isn't working) and explain what results you did get?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...