Splunk Search

exclude certain event type from count

noman377
Explorer

Hi, I have a stat on eventtype like this

index=xyz | stats count by eventtype

This query generates:

All_logs  = 14

Error = 2

Login = 4

Auth = 8

Where All_logs is also an eventtype which encomapsses all events: Error, Login and Auth

How can I rewrite this query so I will see count of eventtype excluding All_logs and Login events

Labels (2)
0 Karma
1 Solution

thambisetty
SplunkTrust
SplunkTrust

 index=xyz | stats count by eventtype | search eventtype IN (“Error”,”Auth”)

————————————
If this helps, give a like below.

View solution in original post

thambisetty
SplunkTrust
SplunkTrust

@noman377 

 

I used many dummy fields to make you understand 

| makeresults | eval _raw="eventtype,
All_logs,
Error|All_logs,
Login|All_logs,
Auth|All_logs"
| multikv forceheader=1 `comment("prepares sample dataset")`
| makemv eventtype delim="|" 
| eval eventtype_dup=eventtype
| mvcombine eventtype_dup delim=","
| rex field=eventtype_dup mode=sed "s/All_logs//g"
| fillnull eventtype_dup 
| eval eventtype_dup2=if(eventtype_dup=="",eventtype,eventtype_dup)
| stats count by eventtype_dup2

 

up vote if it solves your issue.

————————————
If this helps, give a like below.
0 Karma

noman377
Explorer

@thambisetty , still seeing All_logs and Login events in the stats count 😞

0 Karma

thambisetty
SplunkTrust
SplunkTrust

if you looked at my answer, it contains 4 rows like below

thambisetty_1-1596724312405.png

Look at eventtype field All_logs is present in all rows but if you see final output the count of All_logs below is 1 because All_logs is present in one row alone with out any other value.

thambisetty_0-1596724261671.png

 

————————————
If this helps, give a like below.
0 Karma

noman377
Explorer

@thambisetty , I am sorry, my post probably was not very clear. Let me rephrase...
Original query:   index=xyz | stats count by eventtype

where All_logs encompasses every log in the search (100% coverage).

Current Result:

eventtype

count

All_logs

14

Error

2

Login

4

Auth

8

 

Expected Result:

eventtype

count

Error

2

Auth

8

 

Appreciate all your help.

Tags (1)
0 Karma

thambisetty
SplunkTrust
SplunkTrust

 index=xyz | stats count by eventtype | search eventtype IN (“Error”,”Auth”)

————————————
If this helps, give a like below.
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...