eval command for two types of error

ksharma7 · ‎05-05-2020

Hi,

I have this query :

index="app" sourcetype="rxc" host="rxc-ip*" id=7 URL="/user/unauth" OR referer="https://quest.com/user/unauth*"  earliest=-15m@m latest=now| dedup qid| eval "Error"=id+"-"+Name+"(Impacted-"+referer+"OR"+URL+")"| stats count by "Error"

What I am looking for is that it should count the occurrence of either URL or referer dedup the quid as some quid are common in both and then give me result like:

7-name:Impacted-/user/unauth            100

But stat is not working in this case for me ....probably because eval is not used correctly...can someone help?

jadengoho · ‎05-05-2020

Here's the breakdown of the Code:

index="app" sourcetype="rxc" host="rxc-ip*" id=7 URL="/user/unauth" OR referer="https://quest.com/user/unauth*" earliest=-15m@m latest=now
- [ Base search ]

| dedup qid
- Using dedup will remove all the duplicate for the specific field.
- Example : You have 30 events of "00001", and 10 events of "00002" in total of 50 events. Once you use the dedup command you will only got 1 event per each , meaning you will get only 2 rows

| eval "Error"=id+"-"+Name+"(Impacted-"+referer+"OR"+URL+")"
| stats count by "Error"

Also a screenshot or result would be helpful in this situation.

eval command for two types of error

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join the Conversation

eval command for two types of error

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk