Splunk Search

I am trying to get a bar chart to display a stats count of each violation split by the request status, so for it to display both, how much was blocked or alerted. What am i doing wrong

james_westwood
Engager

index="bigip-asm" web_application_name=HTTPCLASS_PROD_SOAENTRYPOINT_EXTERNAL_LIVE request_status=alerted OR blocked | stats count(eval(request_status="blocked")) as blocked count(eval(request_status="alerted")) as alerted by violations

Tags (3)
0 Karma
1 Solution

aweitzman
Motivator

I think you want to replace

request_status=alerted OR blocked

with

request_status=alerted OR request_status=blocked

View solution in original post

aweitzman
Motivator

I think you want to replace

request_status=alerted OR blocked

with

request_status=alerted OR request_status=blocked

james_westwood
Engager

all i'm trying to see is the results for both alerted and blocked split by each violation but every time i run this search it seems to on populate either one or the other. so ill get it split by the violation type but if there is results in the alerted then blocked will say zero and vice versa.

0 Karma

james_westwood
Engager

i have tried this but it always seem to just populate one value (Blocked or Alerted) and leaves the other one "0"

0 Karma

aweitzman
Motivator

Can you post the two searches and the results they get you? I've written a nearly identical search to yours and it works perfectly.

Or possibly I'm misunderstanding something. What is the universe of the possible values for violations? By using that at the end of your stats clause, that's what you're splitting your results over.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...