Solved: Stats showing count of 1 result vs NOT that result

KindaWorking · ‎01-15-2015

I am super new to using the powerful eval command but cannot quite get my head around the syntax. Can someone help me?

I am trying to show stats to show how many useragents have the word bot somewhere in the field vs those that do not.

... | eval type=BOT if(useragent="*bot*")|eval type=NOT if(useragent!="*bot*")|stats count by type

_d_ · ‎01-15-2015

Try:

    ... | eval type=if(match(useragent, ".*bot.*"), "BOT", "NOT")|stats count by type

View solution in original post

KindaWorking · ‎01-15-2015

Hi ppablo, it said that I did not have enough karma.

ppablo · ‎01-20-2015

Thanks for confirming. It should be fixed now, but if you're still unable to comment on other users' answers/comments, just let me know.

KindaWorking · ‎01-15-2015

Thanks both d and somesoni2, you were both correct. Thanks!
(I cannot add comments to your answers)

ppablo · ‎01-15-2015

Hi @KindaWorking

Glad you got two awesome answers! Question though for you. What happened exactly when you tried to comment on their answers? Did you receive an error or did a message pop up saying something about not having enough karma or permissions? This might be a bug we thought was fixed already.

_d_ · ‎01-15-2015

Try:

    ... | eval type=if(match(useragent, ".*bot.*"), "BOT", "NOT")|stats count by type

somesoni2 · ‎01-15-2015

Try like this

your base search | eval type=if(like(useragent,"%bot%"),"BOT","NOT") | stats count by type

Stats showing count of 1 result vs NOT that result

Advanced Splunk Data Management Strategies

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...