Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

count events from a radio button choice issue

jip31
Motivator
‎09-15-2018 12:15 AM

Hello

I use the code below in order to display the events corresponding to these event code
index="windows" sourcetype="wineventlog:*" "SourceName=Application Error" (EventCode=1000 OR EventCode =1001 OR EventCode =1002 OR EventCode =1 OR EventCode =2) | dedup _time|table _time host EventCode Type Message

The code returns 4 events
I want to do the same thing from a radio button choice

index="windows" sourcetype="wineventlog:*" "SourceName=Application Error"  (EventCode=1000 OR EventCode =1001 OR EventCode =1002 OR EventCode =1 OR EventCode =2 EventCode=$EventCode$ )  | stats dc(EventCode)

But it returns me only 1 event but normally with the selection I make on the radio button i should have 4 events
What i have to do please??
THANKS

Tags (1)
0 Karma
Reply

renjith_nair
SplunkTrust
SplunkTrust
‎09-15-2018 04:45 AM

@jip31,

Change your search to 

index="windows" sourcetype="wineventlog:*" "SourceName=Application Error"  EventCode=$EventCode$   | stats count by EventCode

By dc(EventCode) in your original search, you are counting only the distinct values of EventCode which is always 1 since you are selecting 1 event code from the radio button

Happy Splunking!
0 Karma
Reply

jip31
Motivator
‎09-15-2018 08:41 AM

RENJITH
it doesnt works
I have always one event
1,000 is dusplayed instead 1....

0 Karma
Reply

jip31
Motivator
‎09-15-2018 10:44 PM

In fact now I have 1000 instead 1
please find the xml here :
https://cjoint.com/c/HIqfSrT4MXd

0 Karma
Reply

renjith_nair
SplunkTrust
SplunkTrust
‎09-16-2018 03:38 AM

@jip31,, Sorry I could not understand the xml due to formatting. Nevertheless, hows your output result should like ?
When you select "1000" as radio button option, then it should display

EventCode Count
1000              1

OR

 EventCode Count
   1000           Some Values (Total number of events for event code 1000)

Or something else?

Happy Splunking!
0 Karma
Reply

renjith_nair
SplunkTrust
SplunkTrust
‎09-15-2018 09:03 AM

Is it possible to share your xml? Mask any sensitive data

Happy Splunking!
0 Karma
Reply

jip31
Motivator
‎09-15-2018 02:17 AM

I have 5 button: 1000, 1001, 1002, 1, 2
When I click on the button i want that my request count the number of events with the event code 1000, the number of events with the number 1001 etc....
So i just want a column with the name of the event code and a column with the count of event linked to the event code
To my mind its normal there is no OR because EventCode=$EventCode$ is the just the name of my button radio panel
Actually my request just count the number of 1000 (so always 1...) and not the event number with the event code 1000

0 Karma
Reply

renjith_nair
SplunkTrust
SplunkTrust
‎09-15-2018 12:30 AM

@jip31,
What's in your radio buttons? Are they event codes? In the above search an OR between "EventCode =2 EventCode=$EventCode$ " is missing. Is it a typo? Hows your final result should look like?

Happy Splunking!
0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...