Solved: How to write a stats count search for events based...

DEAD_BEEF · ‎11-03-2014

I have a log file that lists which tool created the alert. I would like to count alerts by tool name, but I want to combine certain tool counts based on commonalities that I specify.

For example:

index=logs | stats count by Tools
McAfee Basic     12
Extreme McAfee   34
Plat McAfee Plus 6
Xerox IDS Base   1
Stumble IDS Plus 8
Microsoft X IDS  40

I would prefer to count based on tools having the word "McAfee" or "IDS" in them (so that they're grouped)

index=logs | some UNKNOWN QUERY
McAfee 52
IDS 49

somesoni2 · ‎11-03-2014

Try this

index=logs | stats count(eval(match(Tools,"McAfee"))) as "McAfee" count(eval(match(Tools,"IDS"))) as IDS

View solution in original post

somesoni2 · ‎11-03-2014

Try this

index=logs | stats count(eval(match(Tools,"McAfee"))) as "McAfee" count(eval(match(Tools,"IDS"))) as IDS

wpreston · ‎11-03-2014

Try this:

index=logs | stats count(eval(searchmatch("McAfee"))) as McAfee count(eval(searchmatch("IDS"))) as IDS

How to write a stats count search for events based on common (but variable) names?

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Are you a member of the Splunk Community?

How to write a stats count search for events based on common (but variable) names?

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25