Splunk Search

count events from a radio button choice issue

jip31
Motivator

Hello

I use the code below in order to display the events corresponding to these event code
index="windows" sourcetype="wineventlog:*" "SourceName=Application Error" (EventCode=1000 OR EventCode =1001 OR EventCode =1002 OR EventCode =1 OR EventCode =2) | dedup _time|table _time host EventCode Type Message

The code returns 4 events
I want to do the same thing from a radio button choice

index="windows" sourcetype="wineventlog:*" "SourceName=Application Error"  (EventCode=1000 OR EventCode =1001 OR EventCode =1002 OR EventCode =1 OR EventCode =2 EventCode=$EventCode$ )  | stats dc(EventCode)

But it returns me only 1 event but normally with the selection I make on the radio button i should have 4 events
What i have to do please??
THANKS

Tags (1)
0 Karma

renjith_nair
Legend

@jip31,

Change your search to

index="windows" sourcetype="wineventlog:*" "SourceName=Application Error"  EventCode=$EventCode$   | stats count by EventCode

By dc(EventCode) in your original search, you are counting only the distinct values of EventCode which is always 1 since you are selecting 1 event code from the radio button

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

jip31
Motivator

RENJITH
it doesnt works
I have always one event
1,000 is dusplayed instead 1....

0 Karma

jip31
Motivator

In fact now I have 1000 instead 1
please find the xml here :
https://cjoint.com/c/HIqfSrT4MXd

0 Karma

renjith_nair
Legend

@jip31,, Sorry I could not understand the xml due to formatting. Nevertheless, hows your output result should like ?
When you select "1000" as radio button option, then it should display

EventCode Count
1000              1

OR

 EventCode Count
   1000           Some Values (Total number of events for event code 1000)

Or something else?

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

renjith_nair
Legend

Is it possible to share your xml? Mask any sensitive data

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

jip31
Motivator

I have 5 button: 1000, 1001, 1002, 1, 2
When I click on the button i want that my request count the number of events with the event code 1000, the number of events with the number 1001 etc....
So i just want a column with the name of the event code and a column with the count of event linked to the event code
To my mind its normal there is no OR because EventCode=$EventCode$ is the just the name of my button radio panel
Actually my request just count the number of 1000 (so always 1...) and not the event number with the event code 1000

0 Karma

renjith_nair
Legend

@jip31,
What's in your radio buttons? Are they event codes? In the above search an OR between "EventCode =2 EventCode=$EventCode$ " is missing. Is it a typo? Hows your final result should look like?

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...