Splunk Search

Stats command

Karthikeya
Communicator

I am trying to get total traffic vs attack traffic splunk query in order to keep it in dashboard panel.

We have a field called attack_type which contains all the attacks and those will be dynamic (daily new ones will be coming).

For last 24 hours, we have 1000 total events and 400 attack_type events.

how can I show this in single dashboard panel:

tried to write this query:

index=* *jupiter* | stats count as "Total Traffic" count(eval(attack_type="*")) as "Attack Traffic"

but getting this error:

Error in 'stats' command: The eval expression for dynamic field 'attack_type=*' is invalid. Error='The expression is malformed. An unexpected character is reached at '*'.'.

please help me in this regards.

Labels (3)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

You probably wanted to do something like

stats count(eval(isnotnull(attack_type)))

I must say though that I don't like the stats eval syntax - it can be confusing. I prefer to do stuff explicitly. Like this:

| eval isattack=if(isnotnull(attack_type),1,0)
| stats sum(attack_type)

PS: Oh, and don't search across all your indexes. While it might work relatively not that bad on some small deployments or for a user with very limited permissions, it's a very bad habit which doesn't scale well. And don't use wildcards at the beginning of your search term (like *juniper*).

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Wildcards don't work everywhere and the eval function may be one of those places.  Try using isnotnull(), instead.

index=* *jupiter* 
| stats count as "Total Traffic" count(eval(isnotnull(attack_type))) as "Attack Traffic"

 On the subject of wildcards, avoid using index=*, except in special circumstances.  Also, a leading wildcard in the search command (as in "*jupiter*") is very inefficient.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...