Splunk Search

Sum of conditional if with wildcard

jclemons7
Path Finder

Hello all,

I have the following search and I can't seem to "trick" it into giving me the data I want... Essentially, I want a table by timestamp and user which counts occurrences of wildcard hits. Here's my lame attempt to get it working..

event="standard"
| regex _raw!=(?i)"(fileofinterest.txt|objectofinterest.txt|otherthing.bat)"
| eval type1_if=if(InterestingField="%fileofinterest.txt%", 1, 0)
| eval type2_if=if(InterestingField="%objectofinterest.txt%", 1, 0)

I want to get a table that looks like this:

_timestamp | user | type1_if_total | type2_if_total | type_if_total

For each user and _timestamp

Any help is greatly appreciated...

0 Karma
1 Solution

woodcock
Esteemed Legend

I think you are not asking for what you really desire but assuming I am incorrect, you can what you asked like this:

event="standard"
| regex _raw!=(?i)"(fileofinterest.txt|objectofinterest.txt|otherthing.bat)"
| stats count(eval(match(InterestingField,"%fileofinterest.txt%") AS type1_if_total 
count(eval(match(InterestingField, "%objectofinterest.txt%") AS type2_if_total BY _timestamp user
| eval type_if_total = type1_if_total + type2_if_total 

View solution in original post

maciep
Champion

something like this?

... | stats count(eval(type1_if=1)) as type1_if count(eval(type2_if=1)) as type2_if count(eval(type1_if=1 OR type2_if=1)) as type_if by _timestamp user
0 Karma

somesoni2
Revered Legend

Any sample logs??

0 Karma

woodcock
Esteemed Legend

I think you are not asking for what you really desire but assuming I am incorrect, you can what you asked like this:

event="standard"
| regex _raw!=(?i)"(fileofinterest.txt|objectofinterest.txt|otherthing.bat)"
| stats count(eval(match(InterestingField,"%fileofinterest.txt%") AS type1_if_total 
count(eval(match(InterestingField, "%objectofinterest.txt%") AS type2_if_total BY _timestamp user
| eval type_if_total = type1_if_total + type2_if_total 

jclemons7
Path Finder

So, this is sort of working I think... but it seems like my group is only returning one column for each user.. so I will get a count of type2_if_total for a given user I won't get a count of type1_if_total or visa versa. I need to know the total count of both type1_if_total and type2_if_total for each user.

0 Karma

woodcock
Esteemed Legend

If you are only getting a count of one it is because that is what is really there. If a user has some of each, this search WILL count both and each field will be non-zero. My solution is a complete solution for your need as you described it.

0 Karma
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...