Solved: How to write a stats count search for events based...

DEAD_BEEF · ‎11-03-2014

I have a log file that lists which tool created the alert. I would like to count alerts by tool name, but I want to combine certain tool counts based on commonalities that I specify.

For example:

index=logs | stats count by Tools
McAfee Basic     12
Extreme McAfee   34
Plat McAfee Plus 6
Xerox IDS Base   1
Stumble IDS Plus 8
Microsoft X IDS  40

I would prefer to count based on tools having the word "McAfee" or "IDS" in them (so that they're grouped)

index=logs | some UNKNOWN QUERY
McAfee 52
IDS 49

somesoni2 · ‎11-03-2014

Try this

index=logs | stats count(eval(match(Tools,"McAfee"))) as "McAfee" count(eval(match(Tools,"IDS"))) as IDS

View solution in original post

somesoni2 · ‎11-03-2014

Try this

index=logs | stats count(eval(match(Tools,"McAfee"))) as "McAfee" count(eval(match(Tools,"IDS"))) as IDS

wpreston · ‎11-03-2014

Try this:

index=logs | stats count(eval(searchmatch("McAfee"))) as McAfee count(eval(searchmatch("IDS"))) as IDS

How to write a stats count search for events based on common (but variable) names?

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

Are you a member of the Splunk Community?

How to write a stats count search for events based on common (but variable) names?

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25