Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is an alternate way to do this query: count(eval(like('some.field',"A"))) AS accepted?

charliedgz
Path Finder
‎02-07-2018 03:30 PM

SPLUNK NINJAS! I NEED YOUR HELP!

I have a firewall issue where any IP outside of our intranet, Splunk throws errors saying "Could not create search".... and i tracked it down to these compound count-eval-like statements. For whatever reason its getting blocked by the netscaler and network people are no help, so as a work around, rewrite the queries. I have been trying different things but no such luck. obviously there is more to this search but the basics is all i need...
Maybe a dumb question, but How would I do this without using compound count-eval-like search:

index=someindex sourcetype=somesourcetype
            | stats count as total, count(eval(like('somefield',"A"))) as accepted
            | eval rate=(accepted/total)*100
            | fields rate

THANKS!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

micahkemp
Champion
‎02-07-2018 03:54 PM

You could use rex:

| rex field=somefield "(?<accepted>A)"
| stats count AS total, count(accepted) AS accepted

But I think you should look further into why your netscaler blocked this. I'm guessing it has to do with the word like which it may be thinking is being used for a SQL injection attack.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

micahkemp
Champion
‎02-07-2018 03:54 PM

You could use rex:

| rex field=somefield "(?<accepted>A)"
| stats count AS total, count(accepted) AS accepted

But I think you should look further into why your netscaler blocked this. I'm guessing it has to do with the word like which it may be thinking is being used for a SQL injection attack.

0 Karma
Reply
Solved! Jump to solution

charliedgz
Path Finder
‎02-07-2018 05:12 PM

You are a demo saver.... i will take your advice.

THANK YOU!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Access Tokens Page - New & Improved

Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...