Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why are the blocked data counts not showing up?

Yaichael
Communicator
‎05-13-2019 09:48 AM

Good day,

I've the following query where I want to show the amount of times a category was notified "Blocked"
out of the "Detected" ones, but the "Blocked" column isn't bringing up any results.

index=test_csv (source="Detected*.csv" OR source="Stopped*.csv") sourcetype="csv"
| eval cat = if(cat=="new", "web", cat)
| eval action = if( like( notif , "%Deny%" ) OR like( notif , "%Block%" ), "Blocked" , "Detected" )
| stats count(action) as tcount by rep , cat
| sort -tcount
| stats values(rep) as "Rep" , list(tcount) as Detected , list(eval(action=="Blocked")) as Blocked by cat
| sort -Detected
| rename cat as categories

What am I missing?

Thanks!

Tags (1)
0 Karma
Reply

DavidHourani
Super Champion
‎05-13-2019 12:54 PM

Hi @Yaichael,

Nice query you've got there, just needs a minor tweak, try it as follows : 

 index=test_csv (source="Detected*.csv" OR source="Stopped*.csv") sourcetype="csv"
 | eval cat = if(cat=="new", "web", cat)
 | eval action = if( like( notif , "%Deny%" ) OR like( notif , "%Block%" ), "Blocked" , "Detected" )
 | stats values(rep) as "Rep",  count(action) as total, count(eval(action="Blocked")) as BlockedCount by cat
 | rename cat as categories

Let me know if that's what you're looking for.

PS: Also if you only want the count of blocked events regardless of the detected ones you should simply use that as a filter in your initial query as follows : 

index=test_csv (source="Detected*.csv" OR source="Stopped*.csv") sourcetype="csv" (notif="*Deny*" OR notif="*Block*")

Cheers,
David

0 Karma
Reply

Yaichael
Communicator
‎05-14-2019 05:49 AM

After seeing you guys suggestions, I was able to come up with the subsequent query; giving me the expected results. Thanks for shedding some light on me.

index=test_csv (source="Detected*.csv" OR source="Stopped*.csv") sourcetype="csv"
| eval cat = if(cat=="new", "web", cat)
| eval action = if( like( notif , "%Deny%" ) OR like( notif , "%Terminat%" ) OR like( notif , "%Block%" ), "Blocked" , "Detected" )
| stats count(action) as detected , count(eval(action=="Blocked")) as blocked by rep , cat
| sort -detected , -blocked
| stats values(rep) as "Rep" , list(detected) as Detected , list(blocked) as Blocked by cat
| sort -Detected
| rename cat as categories
0 Karma
Reply

Vijeta
Influencer
‎05-13-2019 09:53 AM

Your first stats command does not have action field so second stats command will not be able to eval on action.
Try changing your first stats command to 

| stats count(action) as tcount by rep , cat, action
0 Karma
Reply

Yaichael
Communicator
‎05-13-2019 11:47 AM

Doing what you suggested made the statistics show incorrect values for Detected and Blocked.

0 Karma
Reply

Vijeta
Influencer
‎05-13-2019 12:17 PM

@Yaichael Why are you using list(eval(action="Blocked")). If you want to show Detected and Blocked count you can use below query

 index=test_csv (source="Detected*.csv" OR source="Stopped*.csv") sourcetype="csv"
 | eval cat = if(cat=="new", "web", cat)
 | eval action = if( like( notif , "%Deny%" ) OR like( notif , "%Block%" ), "Blocked" , "Detected" )

 | stats values(rep) as "Rep" , count(action) as Detected , count(eval(action="Blocked")) as Blocked by cat
 | sort -Detected
 | rename cat as categories
0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...