Solved: Mulitple indexes, sourcetypes - obtaining counts

RB5 · ‎02-04-2014

Hi, I am hoping to use the search below, to get the counts for the categories in DIRECTION and the categories in TYPE.

If I end the search with just: | stats count DIRECTION

I get the correct counts for those.
If I end with just: | stats count TYPE
I get the correct counts for 'TYPE'.

I want to get to put them together, but no luck for: | stats count by DIRECTION TYPE
(no help if I put a comma between them).

The search and the 'evals' do pull the data desired.

Thanks,

index=aaa OR index=bbb sourcetype=ccc OR sourcetype=ccc
(extin "from=") OR (extout "from=") OR "virusname=" OR "cmd=judge module=access rule=pdrbl"
| eval DIRECTION = case (direction=="inbound", "Inbound", direction=="outbound", "Outbound")
| eval TYPE=case ( rule=="pdrbl", "pdrbl", match(virusname,"\S+"), "virus")

| stats count by DIRECTION TYPE

somesoni2 · ‎02-05-2014

Try this

index=aaa OR index=bbb sourcetype=ccc OR sourcetype=ccc (extin "from=") OR (extout "from=") OR "virusname=" OR "cmd=judge module=access rule=pdrbl" | eval DIRECTION = case (direction=="inbound", "Inbound", direction=="outbound", "Outbound") | eval TYPE=case ( rule=="pdrbl", "pdrbl", match(virusname,"S+"), "virus") | eval countfield=case(isnotnull(DIRECTION) AND isnotnull(TYPE),DIRECTION.",".TYPE,isnull(DIRECTION),TYPE,isnull(TYPE),DIRECTION) | eval countfield=split(countfield,",") | mvexpand countfield | stats count by countfield

View solution in original post

RB5 · ‎02-05-2014

Actually, that worked. The slash got lost in: match(virusname,"\S+") at some point but when I put it back in, it worked as hoped. Thank you very much!

RB5 · ‎02-05-2014

Thanks, it is closer. It gives the results of "Inbound", "Outbound" and "pdrbl" but not for "virus" - which I know does have counts. Am going through what you altered to make sense of it.

somesoni2 · ‎02-05-2014

Try this

index=aaa OR index=bbb sourcetype=ccc OR sourcetype=ccc (extin "from=") OR (extout "from=") OR "virusname=" OR "cmd=judge module=access rule=pdrbl" | eval DIRECTION = case (direction=="inbound", "Inbound", direction=="outbound", "Outbound") | eval TYPE=case ( rule=="pdrbl", "pdrbl", match(virusname,"S+"), "virus") | eval countfield=case(isnotnull(DIRECTION) AND isnotnull(TYPE),DIRECTION.",".TYPE,isnull(DIRECTION),TYPE,isnull(TYPE),DIRECTION) | eval countfield=split(countfield,",") | mvexpand countfield | stats count by countfield

RB5 · ‎02-05-2014

I appreciate the answer, but no, that isn't what I was looking for. DIRECTION and TYPE are independent of each other. I want to see counts for all 4 categories:

Inbound: nn
Outbound: nn
virus: nn
pdrbl: nn

So basically, instead of having 2 separate searches dues to separate indexes, I want the results from a single search. Only way I could find to do that was with the eval commands.

Thanks.

RB5 · ‎02-05-2014

I appreciate the answer, but no, that isn't what I was looking for. DIRECTION and TYPE are independent of each other. I want to see counts for all 4 categories:

Inbound: nn
Outbound: nn
virus: nn
pdrbl: nn

So basically, instead of having 2 separate searches dues to separate indexes, I want the results from a single search. Only way I could find to do that was with the eval commands.

Thanks.

Mulitple indexes, sourcetypes - obtaining counts

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine

Are you a member of the Splunk Community?

Mulitple indexes, sourcetypes - obtaining counts

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine