Splunk Search

Looking for a faster search query: Count different platforms from somewhat same events

Bleepie
Communicator

Dear Splunk Community,

I have the following search:

 

index=websphere 200 OK POST 

 

And I have different platforms that I find like this:

 

index=websphere 200 OK POST LINUX
index=websphere 200 OK POST Windows
index=websphere 200 OK POST zLinux

 

I am currently using the following query to count all 200 OK POST events per platform:

 

index=websphere 200 OK POST LINUX | stats count | rename count AS "Linux" | append [search index=websphere 200 OK POST WINDOWS | stats count | rename count AS "Windows"] | append [search index=websphere 200 OK POST ZLINUX | stats count | rename count AS "zLinux"] 

 

This is just an example, I have way more platforms that I search like in the query above. I have two issues:

  • Its slow
  • It counts per platform and generates table headers horizontally that I don't want

Bleepie_0-1633610704587.png

I would like to change the above so that I get the following output:

Platform | Count

Linux | 24

Windows | 50

zLinux | 0

Also, using append search seems a bit devious. There must be a simpler, faster and better way to do this, but how?

Thanks in advance

 

EDIT: Please note that the results are all shown in _raw , there are no platform fields or anything generated

Labels (4)
0 Karma
1 Solution

somesoni2
Revered Legend

Try something like this

index=websphere 200 OK POST (LINUX OR WINDOWS OR ZLINUX) | eval Platform=case(searchmatch("LINUX"),"LINUX", searchmatch("WINDOWS"),"WINDOWS", true(),"ZLINUX") | stats count by Platform

View solution in original post

0 Karma

somesoni2
Revered Legend

Try something like this

index=websphere 200 OK POST (LINUX OR WINDOWS OR ZLINUX) | eval Platform=case(searchmatch("LINUX"),"LINUX", searchmatch("WINDOWS"),"WINDOWS", true(),"ZLINUX") | stats count by Platform
0 Karma

Bleepie
Communicator

Thanks! Works like a charm! Not familiair with searchmatch but will look into it.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...