Splunk Search

eval with wildcard

Mike6960
Path Finder

I am trying to use an eval but there is a wildcard so I noticed this does not work. Ho can I get this to work? I tried using match or Like but I cant get it working

......count(eval(logger ="blablabla test HTTP status: 200.")) OR logger="something id * HTTP status: 200") AS Example

Tags (2)
0 Karma

manjunathmeti
Champion

If you are counting logs with status code 200, then extract status from logger and count it. You can use extracted field to count logs with other status codes also.

| rex field=logger "status:\s(?<status>[\d]+)" | stats count(eval(status=200)) AS count
0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@Mike6960

You can try this also.

YOUR_SEARCH | eval example= case(like(logger,"blablabla test HTTP status: 200."),1,like(logger,"something id % HTTP status: 200"),1,1=1,0) | stats sum(example) as example

Sample:

| makeresults 
| eval logger="blablabla test HTTP status: 200.|something id 1234 HTTPA status: 200|something id 1234 HTTP status: 200", logger=split(logger,"|") 
| mvexpand logger
| rename comment as "Upto this is for data generation only" 
| eval example= case(like(logger,"blablabla test HTTP status: 200."),1,like(logger,"something id % HTTP status: 200"),1,1=1,0)
| stats sum(example) as example
0 Karma

nickhills
Ultra Champion

Try
|stats count(eval(like(logger,"%status: 200"))) as Example

If my comment helps, please give it a thumbs up!

shashank_24
Path Finder

This works like a charm. Thanks

0 Karma

Mike6960
Path Finder

Hi, what does 'category' do ?

0 Karma

nickhills
Ultra Champion

sorry - should have been logger - amended in the answer.

If my comment helps, please give it a thumbs up!
0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...