Solved: Re: I want to extract the same result from stats.

noott211 · ‎12-15-2021

I want to see the result values of Src_ip and dst_ip are the same and "ok" and the number of these result values. What should I do? The code I made doesn't work well.

index="my_index"
|eval cheack=if(html_code==200,"error","OK")
|stats list(src_ip) as src_ip list(dst_ip) as dst_ip by cheack
|table src_ip , dst_ip , cheack , count

ashvinpandey · ‎12-15-2021

@noott211 Try using the below queries:
Query1:

index="my_index"
|eval check=if(html_code==200,"error","OK")
|stats values(check) as check by src_ip dst_ip
|table src_ip , dst_ip , check , count

Query2:

index="my_index"
|eval check=if(html_code==200,"error","OK")
|stats values(src_ip) as src_ip values(dst_ip) as dst_ip by check 
|table src_ip , dst_ip , check , count

If this reply helped you an upvote would be appreciated, thank you.

View solution in original post

ashvinpandey · ‎12-15-2021

@noott211 Try using the below queries:
Query1:

index="my_index"
|eval check=if(html_code==200,"error","OK")
|stats values(check) as check by src_ip dst_ip
|table src_ip , dst_ip , check , count

Query2:

index="my_index"
|eval check=if(html_code==200,"error","OK")
|stats values(src_ip) as src_ip values(dst_ip) as dst_ip by check 
|table src_ip , dst_ip , check , count

If this reply helped you an upvote would be appreciated, thank you.

I want to extract the same result from stats.

chart

count

eval

stats

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?