Splunk Search

What is an alternate way to do this query: count(eval(like('some.field',"A"))) AS accepted?

charliedgz
Path Finder

SPLUNK NINJAS! I NEED YOUR HELP!

I have a firewall issue where any IP outside of our intranet, Splunk throws errors saying "Could not create search".... and i tracked it down to these compound count-eval-like statements. For whatever reason its getting blocked by the netscaler and network people are no help, so as a work around, rewrite the queries. I have been trying different things but no such luck. obviously there is more to this search but the basics is all i need...
Maybe a dumb question, but How would I do this without using compound count-eval-like search:

index=someindex sourcetype=somesourcetype
            | stats count as total, count(eval(like('somefield',"A"))) as accepted
            | eval rate=(accepted/total)*100
            | fields rate

THANKS!

0 Karma
1 Solution

micahkemp
Champion

You could use rex:

| rex field=somefield "(?<accepted>A)"
| stats count AS total, count(accepted) AS accepted

But I think you should look further into why your netscaler blocked this. I'm guessing it has to do with the word like which it may be thinking is being used for a SQL injection attack.

View solution in original post

0 Karma

micahkemp
Champion

You could use rex:

| rex field=somefield "(?<accepted>A)"
| stats count AS total, count(accepted) AS accepted

But I think you should look further into why your netscaler blocked this. I'm guessing it has to do with the word like which it may be thinking is being used for a SQL injection attack.

0 Karma

charliedgz
Path Finder

You are a demo saver.... i will take your advice.

THANK YOU!

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...