- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: count events from a radio button choice issue
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
count events from a radio button choice issue
Hello
I use the code below in order to display the events corresponding to these event code
index="windows" sourcetype="wineventlog:*" "SourceName=Application Error" (EventCode=1000 OR EventCode =1001 OR EventCode =1002 OR EventCode =1 OR EventCode =2) | dedup _time|table _time host EventCode Type Message
The code returns 4 events
I want to do the same thing from a radio button choice
index="windows" sourcetype="wineventlog:*" "SourceName=Application Error" (EventCode=1000 OR EventCode =1001 OR EventCode =1002 OR EventCode =1 OR EventCode =2 EventCode=$EventCode$ ) | stats dc(EventCode)
But it returns me only 1 event but normally with the selection I make on the radio button i should have 4 events
What i have to do please??
THANKS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jip31,
Change your search to
index="windows" sourcetype="wineventlog:*" "SourceName=Application Error" EventCode=$EventCode$ | stats count by EventCode
By dc(EventCode) in your original search, you are counting only the distinct values of EventCode which is always 1 since you are selecting 1 event code from the radio button
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
RENJITH
it doesnt works
I have always one event
1,000 is dusplayed instead 1....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In fact now I have 1000 instead 1
please find the xml here :
https://cjoint.com/c/HIqfSrT4MXd
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jip31,, Sorry I could not understand the xml due to formatting. Nevertheless, hows your output result should like ?
When you select "1000" as radio button option, then it should display
EventCode Count
1000 1
OR
EventCode Count
1000 Some Values (Total number of events for event code 1000)
Or something else?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it possible to share your xml? Mask any sensitive data
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have 5 button: 1000, 1001, 1002, 1, 2
When I click on the button i want that my request count the number of events with the event code 1000, the number of events with the number 1001 etc....
So i just want a column with the name of the event code and a column with the count of event linked to the event code
To my mind its normal there is no OR because EventCode=$EventCode$ is the just the name of my button radio panel
Actually my request just count the number of 1000 (so always 1...) and not the event number with the event code 1000
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jip31,
What's in your radio buttons? Are they event codes? In the above search an OR between "EventCode =2 EventCode=$EventCode$ " is missing. Is it a typo? Hows your final result should look like?
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
