Splunk Search

What is an alternate way to do this query: count(eval(like('some.field',"A"))) AS accepted?

charliedgz
Path Finder

SPLUNK NINJAS! I NEED YOUR HELP!

I have a firewall issue where any IP outside of our intranet, Splunk throws errors saying "Could not create search".... and i tracked it down to these compound count-eval-like statements. For whatever reason its getting blocked by the netscaler and network people are no help, so as a work around, rewrite the queries. I have been trying different things but no such luck. obviously there is more to this search but the basics is all i need...
Maybe a dumb question, but How would I do this without using compound count-eval-like search:

index=someindex sourcetype=somesourcetype
            | stats count as total, count(eval(like('somefield',"A"))) as accepted
            | eval rate=(accepted/total)*100
            | fields rate

THANKS!

0 Karma
1 Solution

micahkemp
Champion

You could use rex:

| rex field=somefield "(?<accepted>A)"
| stats count AS total, count(accepted) AS accepted

But I think you should look further into why your netscaler blocked this. I'm guessing it has to do with the word like which it may be thinking is being used for a SQL injection attack.

View solution in original post

0 Karma

micahkemp
Champion

You could use rex:

| rex field=somefield "(?<accepted>A)"
| stats count AS total, count(accepted) AS accepted

But I think you should look further into why your netscaler blocked this. I'm guessing it has to do with the word like which it may be thinking is being used for a SQL injection attack.

0 Karma

charliedgz
Path Finder

You are a demo saver.... i will take your advice.

THANK YOU!

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...