Splunk Search

What is an alternate way to do this query: count(eval(like('some.field',"A"))) AS accepted?

charliedgz
Path Finder

SPLUNK NINJAS! I NEED YOUR HELP!

I have a firewall issue where any IP outside of our intranet, Splunk throws errors saying "Could not create search".... and i tracked it down to these compound count-eval-like statements. For whatever reason its getting blocked by the netscaler and network people are no help, so as a work around, rewrite the queries. I have been trying different things but no such luck. obviously there is more to this search but the basics is all i need...
Maybe a dumb question, but How would I do this without using compound count-eval-like search:

index=someindex sourcetype=somesourcetype
            | stats count as total, count(eval(like('somefield',"A"))) as accepted
            | eval rate=(accepted/total)*100
            | fields rate

THANKS!

0 Karma
1 Solution

micahkemp
Champion

You could use rex:

| rex field=somefield "(?<accepted>A)"
| stats count AS total, count(accepted) AS accepted

But I think you should look further into why your netscaler blocked this. I'm guessing it has to do with the word like which it may be thinking is being used for a SQL injection attack.

View solution in original post

0 Karma

micahkemp
Champion

You could use rex:

| rex field=somefield "(?<accepted>A)"
| stats count AS total, count(accepted) AS accepted

But I think you should look further into why your netscaler blocked this. I'm guessing it has to do with the word like which it may be thinking is being used for a SQL injection attack.

0 Karma

charliedgz
Path Finder

You are a demo saver.... i will take your advice.

THANK YOU!

0 Karma
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...