Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

exclude certain event type from count

noman377
Explorer
‎08-05-2020 10:04 PM

Hi, I have a stat on eventtype like this

index=xyz | stats count by eventtype

This query generates:

All_logs  = 14

Error = 2

Login = 4

Auth = 8

Where All_logs is also an eventtype which encomapsses all events: Error, Login and Auth

How can I rewrite this query so I will see count of eventtype excluding All_logs and Login events

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

thambisetty
SplunkTrust
SplunkTrust
‎08-06-2020 08:35 AM

 index=xyz | stats count by eventtype | search eventtype IN (“Error”,”Auth”)

————————————
If this helps, give a like below.

View solution in original post

Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎08-05-2020 11:36 PM

@noman377 

 

I used many dummy fields to make you understand 

| makeresults | eval _raw="eventtype,
All_logs,
Error|All_logs,
Login|All_logs,
Auth|All_logs"
| multikv forceheader=1 `comment("prepares sample dataset")`
| makemv eventtype delim="|" 
| eval eventtype_dup=eventtype
| mvcombine eventtype_dup delim=","
| rex field=eventtype_dup mode=sed "s/All_logs//g"
| fillnull eventtype_dup 
| eval eventtype_dup2=if(eventtype_dup=="",eventtype,eventtype_dup)
| stats count by eventtype_dup2

 

up vote if it solves your issue.

————————————
If this helps, give a like below.
0 Karma
Reply
Solved! Jump to solution

noman377
Explorer
‎08-06-2020 07:22 AM

@thambisetty , still seeing All_logs and Login events in the stats count 😞

0 Karma
Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎08-06-2020 07:33 AM

if you looked at my answer, it contains 4 rows like below

thambisetty_1-1596724312405.png

Look at eventtype field All_logs is present in all rows but if you see final output the count of All_logs below is 1 because All_logs is present in one row alone with out any other value.

thambisetty_0-1596724261671.png

 

————————————
If this helps, give a like below.
0 Karma
Reply
Solved! Jump to solution

noman377
Explorer
‎08-06-2020 08:15 AM

@thambisetty , I am sorry, my post probably was not very clear. Let me rephrase...
Original query:   index=xyz | stats count by eventtype

where All_logs encompasses every log in the search (100% coverage).

Current Result:

eventtype

count

All_logs

14

Error

2

Login

4

Auth

8

 

Expected Result:

eventtype

count

Error

2

Auth

8

 

Appreciate all your help.

Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

thambisetty
SplunkTrust
SplunkTrust
‎08-06-2020 08:35 AM

 index=xyz | stats count by eventtype | search eventtype IN (“Error”,”Auth”)

————————————
If this helps, give a like below.
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...