Solved: How to write a stats count search for events based...

DEAD_BEEF · ‎11-03-2014

I have a log file that lists which tool created the alert. I would like to count alerts by tool name, but I want to combine certain tool counts based on commonalities that I specify.

For example:

index=logs | stats count by Tools
McAfee Basic     12
Extreme McAfee   34
Plat McAfee Plus 6
Xerox IDS Base   1
Stumble IDS Plus 8
Microsoft X IDS  40

I would prefer to count based on tools having the word "McAfee" or "IDS" in them (so that they're grouped)

index=logs | some UNKNOWN QUERY
McAfee 52
IDS 49

somesoni2 · ‎11-03-2014

Try this

index=logs | stats count(eval(match(Tools,"McAfee"))) as "McAfee" count(eval(match(Tools,"IDS"))) as IDS

View solution in original post

somesoni2 · ‎11-03-2014

Try this

index=logs | stats count(eval(match(Tools,"McAfee"))) as "McAfee" count(eval(match(Tools,"IDS"))) as IDS

wpreston · ‎11-03-2014

Try this:

index=logs | stats count(eval(searchmatch("McAfee"))) as McAfee count(eval(searchmatch("IDS"))) as IDS

How to write a stats count search for events based on common (but variable) names?

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

Explore the Latest Educational Offerings from Splunk (November Releases)

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...