Splunk Search

How to use tags in stats/eval expression?

Explorer

Hello Community,

I have defined some tags like:
Field=Value --> TAG
OBJECT_TYPE=*_EMS --> EMS

Now I want to use this Tags within my eval statement:

|stats 
count(eval('tag::OBJECT_TYPE'="EMS")) AS EMS 

But the count result is 0.
Thanks in advance for your support!

Explorer

Hello both,

Unfortunately all of your provided suggestions are returning 0 (which is not true):

  count(eval(tag="WWV")) AS WWV 
  count(eval(tag='WWV')) AS WWV0 
  count(eval('tag::OBJECT_TYPE'="WWV")) AS WWV1
  count(eval(match('tag::OBJECT_TYPE',"WWV"))) AS WWV2

Do you have any other ideas?!?

It's working with an AND combined search like

count(eval(like(OBJECT_TYPE,"WWV%")OR like(OBJECT_TYPE,"%WWV"))) AS WWV

But it would be much more elegant for me to define the groupings globally with tags .

Thanks and regards Sebastian

0 Karma

SplunkTrust
SplunkTrust

My first solution, that uses tags, could work for you?
Bye.
Giuseppe

0 Karma

Explorer

I need to evaluate different tags in the result, here is my actual code without an search, the tags are defined centrally in the tag definition for the field OBJECT_TYPE.

index="eai_tsim_account_p" host="rbedilif" | stats  
count(eval(tag="WWV")) AS WWV0  
count(eval('tag::OBJECT_TYPE'="WWV")) AS WWV1 
count(eval(match('tag::OBJECT_TYPE',"WWV"))) AS WWV2 
count(eval(like(OBJECT_TYPE,"WWV%"))) AS WWV
count(eval(like(OBJECT_TYPE,"IFT%") OR like(OBJECT_TYPE,"IFC%") OR like(OBJECT_TYPE,"XML_INVOIC%") OR like(OBJECT_TYPE,"UTILMD%") OR like(OBJECT_TYPE,"XML_EPCIS"))) AS TMS  
count(eval(like(OBJECT_TYPE,"%VMI"))) AS VMI count(eval(like(OBJECT_TYPE,"INVRPTE%")OR like(OBJECT_TYPE,"DELJIT_SUPO_EMS") OR like(OBJECT_TYPE,"APERAK"))) AS EMS 
count(eval(like(OBJECT_TYPE,"DELFOR") OR like(OBJECT_TYPE,"DESADV") OR like(OBJECT_TYPE,"vda%") OR like(OBJECT_TYPE,"X12%") OR like(OBJECT_TYPE,"ORD%") OR like(OBJECT_TYPE,"INVRPT") OR like(OBJECT_TYPE,"edl") OR like(OBJECT_TYPE,"DELJIT"))) AS Procurement   
| transpose

This search/count is working for WWV, TMS, EMS and PROCURMENT but not for the first three tag based results WWV0, WWV1, WWV2

0 Karma

Super Champion

so maybe mine are just set up differently than yours. but my tag comes back as tag::eventtype. if yours comes back as tag::OBJECT_TYPE, perfect, keep using that.

how i got it to work:
|stats count(eval(match('tag::eventtype',"EMS"))) as EMS
but should still work with
|stats count(eval('tag::eventtype'="EMS")) as EMS
or just
|stats count(eval(tag="EMS")) as EMS

0 Karma

SplunkTrust
SplunkTrust

Hi hse8fe,
at first you could change your search:

my_search tag="EMS"
| stats count

Otherwise you could use eval in a different way:

my_search
| stats count(eval(tag="EMS")) AS EMS 

Bye.
Giuseppe

0 Karma