SPLUNK NINJAS! I NEED YOUR HELP!
I have a firewall issue where any IP outside of our intranet, Splunk throws errors saying "Could not create search".... and i tracked it down to these compound count-eval-like statements. For whatever reason its getting blocked by the netscaler and network people are no help, so as a work around, rewrite the queries. I have been trying different things but no such luck. obviously there is more to this search but the basics is all i need...
Maybe a dumb question, but How would I do this without using compound count-eval-like search:
index=someindex sourcetype=somesourcetype
| stats count as total, count(eval(like('somefield',"A"))) as accepted
| eval rate=(accepted/total)*100
| fields rate
THANKS!
You could use rex:
| rex field=somefield "(?<accepted>A)"
| stats count AS total, count(accepted) AS accepted
But I think you should look further into why your netscaler blocked this. I'm guessing it has to do with the word like
which it may be thinking is being used for a SQL injection attack.
You could use rex:
| rex field=somefield "(?<accepted>A)"
| stats count AS total, count(accepted) AS accepted
But I think you should look further into why your netscaler blocked this. I'm guessing it has to do with the word like
which it may be thinking is being used for a SQL injection attack.
You are a demo saver.... i will take your advice.
THANK YOU!