Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is an alternate way to do this query: count(eval(like('some.field',"A"))) AS accepted?

charliedgz
Path Finder
‎02-07-2018 03:30 PM

SPLUNK NINJAS! I NEED YOUR HELP!

I have a firewall issue where any IP outside of our intranet, Splunk throws errors saying "Could not create search".... and i tracked it down to these compound count-eval-like statements. For whatever reason its getting blocked by the netscaler and network people are no help, so as a work around, rewrite the queries. I have been trying different things but no such luck. obviously there is more to this search but the basics is all i need...
Maybe a dumb question, but How would I do this without using compound count-eval-like search:

index=someindex sourcetype=somesourcetype
            | stats count as total, count(eval(like('somefield',"A"))) as accepted
            | eval rate=(accepted/total)*100
            | fields rate

THANKS!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

micahkemp
Champion
‎02-07-2018 03:54 PM

You could use rex:

| rex field=somefield "(?<accepted>A)"
| stats count AS total, count(accepted) AS accepted

But I think you should look further into why your netscaler blocked this. I'm guessing it has to do with the word like which it may be thinking is being used for a SQL injection attack.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

micahkemp
Champion
‎02-07-2018 03:54 PM

You could use rex:

| rex field=somefield "(?<accepted>A)"
| stats count AS total, count(accepted) AS accepted

But I think you should look further into why your netscaler blocked this. I'm guessing it has to do with the word like which it may be thinking is being used for a SQL injection attack.

0 Karma
Reply
Solved! Jump to solution

charliedgz
Path Finder
‎02-07-2018 05:12 PM

You are a demo saver.... i will take your advice.

THANK YOU!

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...