Splunk Search

exclude certain event type from count

noman377
Explorer

Hi, I have a stat on eventtype like this

index=xyz | stats count by eventtype

This query generates:

All_logs  = 14

Error = 2

Login = 4

Auth = 8

Where All_logs is also an eventtype which encomapsses all events: Error, Login and Auth

How can I rewrite this query so I will see count of eventtype excluding All_logs and Login events

Labels (2)
0 Karma
1 Solution

thambisetty
SplunkTrust
SplunkTrust

 index=xyz | stats count by eventtype | search eventtype IN (“Error”,”Auth”)

————————————
If this helps, give a like below.

View solution in original post

thambisetty
SplunkTrust
SplunkTrust

@noman377 

 

I used many dummy fields to make you understand 

| makeresults | eval _raw="eventtype,
All_logs,
Error|All_logs,
Login|All_logs,
Auth|All_logs"
| multikv forceheader=1 `comment("prepares sample dataset")`
| makemv eventtype delim="|" 
| eval eventtype_dup=eventtype
| mvcombine eventtype_dup delim=","
| rex field=eventtype_dup mode=sed "s/All_logs//g"
| fillnull eventtype_dup 
| eval eventtype_dup2=if(eventtype_dup=="",eventtype,eventtype_dup)
| stats count by eventtype_dup2

 

up vote if it solves your issue.

————————————
If this helps, give a like below.
0 Karma

noman377
Explorer

@thambisetty , still seeing All_logs and Login events in the stats count 😞

0 Karma

thambisetty
SplunkTrust
SplunkTrust

if you looked at my answer, it contains 4 rows like below

thambisetty_1-1596724312405.png

Look at eventtype field All_logs is present in all rows but if you see final output the count of All_logs below is 1 because All_logs is present in one row alone with out any other value.

thambisetty_0-1596724261671.png

 

————————————
If this helps, give a like below.
0 Karma

noman377
Explorer

@thambisetty , I am sorry, my post probably was not very clear. Let me rephrase...
Original query:   index=xyz | stats count by eventtype

where All_logs encompasses every log in the search (100% coverage).

Current Result:

eventtype

count

All_logs

14

Error

2

Login

4

Auth

8

 

Expected Result:

eventtype

count

Error

2

Auth

8

 

Appreciate all your help.

Tags (1)
0 Karma

thambisetty
SplunkTrust
SplunkTrust

 index=xyz | stats count by eventtype | search eventtype IN (“Error”,”Auth”)

————————————
If this helps, give a like below.
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...