Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Stats showing count of 1 result vs NOT that result

KindaWorking
Path Finder
‎01-15-2015 02:01 PM

I am super new to using the powerful eval command but cannot quite get my head around the syntax. Can someone help me?

I am trying to show stats to show how many useragents have the word bot somewhere in the field vs those that do not.

... | eval type=BOT if(useragent="*bot*")|eval type=NOT if(useragent!="*bot*")|stats count by type
Tags (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

_d_
Splunk Employee
Splunk Employee
‎01-15-2015 02:16 PM

Try:

    ... | eval type=if(match(useragent, ".*bot.*"), "BOT", "NOT")|stats count by type

View solution in original post

Reply
Solved! Jump to solution

KindaWorking
Path Finder
‎01-15-2015 06:06 PM

Hi ppablo, it said that I did not have enough karma.

0 Karma
Reply
Solved! Jump to solution

ppablo
Retired
‎01-20-2015 06:05 PM

Thanks for confirming. It should be fixed now, but if you're still unable to comment on other users' answers/comments, just let me know.

0 Karma
Reply
Solved! Jump to solution

KindaWorking
Path Finder
‎01-15-2015 02:41 PM

Thanks both d and somesoni2, you were both correct. Thanks!
(I cannot add comments to your answers)

Reply
Solved! Jump to solution

ppablo
Retired
‎01-15-2015 05:09 PM

Hi @KindaWorking

Glad you got two awesome answers! Question though for you. What happened exactly when you tried to comment on their answers? Did you receive an error or did a message pop up saying something about not having enough karma or permissions? This might be a bug we thought was fixed already.

0 Karma
Reply
Solved! Jump to solution
Solution

_d_
Splunk Employee
Splunk Employee
‎01-15-2015 02:16 PM

Try:

    ... | eval type=if(match(useragent, ".*bot.*"), "BOT", "NOT")|stats count by type
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎01-15-2015 02:15 PM

Try like this

your base search | eval type=if(like(useragent,"%bot%"),"BOT","NOT") | stats count by type
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...