Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Why are the blocked data counts not showing up?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why are the blocked data counts not showing up?
Yaichael
Communicator
05-13-2019
09:48 AM
Good day,
I've the following query where I want to show the amount of times a category was notified "Blocked"
out of the "Detected" ones, but the "Blocked" column isn't bringing up any results.
index=test_csv (source="Detected*.csv" OR source="Stopped*.csv") sourcetype="csv"
| eval cat = if(cat=="new", "web", cat)
| eval action = if( like( notif , "%Deny%" ) OR like( notif , "%Block%" ), "Blocked" , "Detected" )
| stats count(action) as tcount by rep , cat
| sort -tcount
| stats values(rep) as "Rep" , list(tcount) as Detected , list(eval(action=="Blocked")) as Blocked by cat
| sort -Detected
| rename cat as categories
What am I missing?
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DavidHourani
Super Champion
05-13-2019
12:54 PM
Hi @Yaichael,
Nice query you've got there, just needs a minor tweak, try it as follows :
index=test_csv (source="Detected*.csv" OR source="Stopped*.csv") sourcetype="csv"
| eval cat = if(cat=="new", "web", cat)
| eval action = if( like( notif , "%Deny%" ) OR like( notif , "%Block%" ), "Blocked" , "Detected" )
| stats values(rep) as "Rep", count(action) as total, count(eval(action="Blocked")) as BlockedCount by cat
| rename cat as categories
Let me know if that's what you're looking for.
PS: Also if you only want the count of blocked events regardless of the detected ones you should simply use that as a filter in your initial query as follows :
index=test_csv (source="Detected*.csv" OR source="Stopped*.csv") sourcetype="csv" (notif="*Deny*" OR notif="*Block*")
Cheers,
David
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yaichael
Communicator
05-14-2019
05:49 AM
After seeing you guys suggestions, I was able to come up with the subsequent query; giving me the expected results. Thanks for shedding some light on me.
index=test_csv (source="Detected*.csv" OR source="Stopped*.csv") sourcetype="csv"
| eval cat = if(cat=="new", "web", cat)
| eval action = if( like( notif , "%Deny%" ) OR like( notif , "%Terminat%" ) OR like( notif , "%Block%" ), "Blocked" , "Detected" )
| stats count(action) as detected , count(eval(action=="Blocked")) as blocked by rep , cat
| sort -detected , -blocked
| stats values(rep) as "Rep" , list(detected) as Detected , list(blocked) as Blocked by cat
| sort -Detected
| rename cat as categories
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Vijeta
Influencer
05-13-2019
09:53 AM
Your first stats command does not have action field so second stats command will not be able to eval on action.
Try changing your first stats command to
| stats count(action) as tcount by rep , cat, action
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yaichael
Communicator
05-13-2019
11:47 AM
Doing what you suggested made the statistics show incorrect values for Detected and Blocked.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Vijeta
Influencer
05-13-2019
12:17 PM
@Yaichael Why are you using list(eval(action="Blocked")). If you want to show Detected and Blocked count you can use below query
index=test_csv (source="Detected*.csv" OR source="Stopped*.csv") sourcetype="csv"
| eval cat = if(cat=="new", "web", cat)
| eval action = if( like( notif , "%Deny%" ) OR like( notif , "%Block%" ), "Blocked" , "Detected" )
| stats values(rep) as "Rep" , count(action) as Detected , count(eval(action="Blocked")) as Blocked by cat
| sort -Detected
| rename cat as categories
Got questions? Get answers!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Meet up IRL or virtually!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Get Updates on the Splunk Community!
Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0
Are you ready to transform how your team handles complex data requests?
We invite you to our upcoming ...
Announcing Modern Navigation: A New Era of Splunk User Experience
We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...
