Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why are the blocked data counts not showing up?

Yaichael
Communicator
‎05-13-2019 09:48 AM

Good day,

I've the following query where I want to show the amount of times a category was notified "Blocked"
out of the "Detected" ones, but the "Blocked" column isn't bringing up any results.

index=test_csv (source="Detected*.csv" OR source="Stopped*.csv") sourcetype="csv"
| eval cat = if(cat=="new", "web", cat)
| eval action = if( like( notif , "%Deny%" ) OR like( notif , "%Block%" ), "Blocked" , "Detected" )
| stats count(action) as tcount by rep , cat
| sort -tcount
| stats values(rep) as "Rep" , list(tcount) as Detected , list(eval(action=="Blocked")) as Blocked by cat
| sort -Detected
| rename cat as categories

What am I missing?

Thanks!

Tags (1)
0 Karma
Reply

DavidHourani
Super Champion
‎05-13-2019 12:54 PM

Hi @Yaichael,

Nice query you've got there, just needs a minor tweak, try it as follows : 

 index=test_csv (source="Detected*.csv" OR source="Stopped*.csv") sourcetype="csv"
 | eval cat = if(cat=="new", "web", cat)
 | eval action = if( like( notif , "%Deny%" ) OR like( notif , "%Block%" ), "Blocked" , "Detected" )
 | stats values(rep) as "Rep",  count(action) as total, count(eval(action="Blocked")) as BlockedCount by cat
 | rename cat as categories

Let me know if that's what you're looking for.

PS: Also if you only want the count of blocked events regardless of the detected ones you should simply use that as a filter in your initial query as follows : 

index=test_csv (source="Detected*.csv" OR source="Stopped*.csv") sourcetype="csv" (notif="*Deny*" OR notif="*Block*")

Cheers,
David

0 Karma
Reply

Yaichael
Communicator
‎05-14-2019 05:49 AM

After seeing you guys suggestions, I was able to come up with the subsequent query; giving me the expected results. Thanks for shedding some light on me.

index=test_csv (source="Detected*.csv" OR source="Stopped*.csv") sourcetype="csv"
| eval cat = if(cat=="new", "web", cat)
| eval action = if( like( notif , "%Deny%" ) OR like( notif , "%Terminat%" ) OR like( notif , "%Block%" ), "Blocked" , "Detected" )
| stats count(action) as detected , count(eval(action=="Blocked")) as blocked by rep , cat
| sort -detected , -blocked
| stats values(rep) as "Rep" , list(detected) as Detected , list(blocked) as Blocked by cat
| sort -Detected
| rename cat as categories
0 Karma
Reply

Vijeta
Influencer
‎05-13-2019 09:53 AM

Your first stats command does not have action field so second stats command will not be able to eval on action.
Try changing your first stats command to 

| stats count(action) as tcount by rep , cat, action
0 Karma
Reply

Yaichael
Communicator
‎05-13-2019 11:47 AM

Doing what you suggested made the statistics show incorrect values for Detected and Blocked.

0 Karma
Reply

Vijeta
Influencer
‎05-13-2019 12:17 PM

@Yaichael Why are you using list(eval(action="Blocked")). If you want to show Detected and Blocked count you can use below query

 index=test_csv (source="Detected*.csv" OR source="Stopped*.csv") sourcetype="csv"
 | eval cat = if(cat=="new", "web", cat)
 | eval action = if( like( notif , "%Deny%" ) OR like( notif , "%Block%" ), "Blocked" , "Detected" )

 | stats values(rep) as "Rep" , count(action) as Detected , count(eval(action="Blocked")) as Blocked by cat
 | sort -Detected
 | rename cat as categories
0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...