I'm developing for a customer a very simple search.
tag=mysourcetype tag=myeventtype startdaysago=7 tag= | stats count by _time,User_Name,"tag::eventtype" ....
An example could be as follow:
tag::sourcetype=WINDOWS tag::eventtype=an_action startdaysago=7 tag=groupfoo | stats count by _time,User_Name,"tag::eventtype" ...
I'm using several eventtypes to identify :
an_action = there are approximatly 60 eventcode saved as eventype to identify 5 categories of actions
groupfoo = there are eventtypes to identify those groups.
Customer wants a simple table where is clear
WHEN, WHO, WHAT.
Troubles are regarding WHAT:
| stats count by _time,User_Name,"tag::eventtype"
produces good rows (those regarding action ) but also I get duplicated results because groupfoo eventtypes. I mean that also goupfoo is defined as eventtype so for each time I get duplicated results: one (or more) by the perspective of action and this is what I'm looking for. Another one by the perspective of groupfoo : this is the sum of all the previous rows.
Using inputlookup command, results aren't better:
I built a lookup table for all those events I'm interested in, but:
|input lookup mylookuptable.csv ---> works
tag::sourcetype=WINDOWS startdaysago=7 tag= [|input lookup mylookuptable.csv | format ]| stats count by _time,User_Name, ...
returns 0 events
Where I wrong?
Thanks in advance for your time and for any suggestions you would gently provide
I don't think that this is because of the output of the initial search, whether you use tag= or the inputlookup. Splunk will not emit the same event twice to the rest of the search string. The issue is probably that stats count will emit two rows if the tag::eventtype is a multivalued field (that is, there are two tags for the eventtype in the same event).
The easiest thing to do here is to use the mvcombine command to flatten the tag::eventtype into a single valued field. You may want to filter out the tags to be those that match your "whats." For example, you may want to have the search be:
tag::sourcetype=WINDOWS tag::eventtype=an_action startdaysago=7 tag=groupfoo | eval what=mvfilter(tag::eventtype LIKE "what-%") | mvcombine what | stats count by _time,User_Name,what ...
thanks so much for your time: I really appreciate your support and your professionalism.
Have a good day!
eval what=mvfilter(tag::eventtype LIKE "what-%") exits with this error
Error in 'eval' command: Malformed expression - ) expected.
Any IDEA? Tks
Hi nik - eval thinks the '::' in the tag is an operator. When you have a field with special characters in an eval expression, surround that field with single quotes or dollar signs. Try this: eval what=mvfilter('tag::eventtype' LIKE "what-%")
Hello Marklar, sorry for my 'silly' question but You're absolutely right..Thanks a lot !