Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

exclude certain event type from count

noman377
Explorer
‎08-05-2020 10:04 PM

Hi, I have a stat on eventtype like this

index=xyz | stats count by eventtype

This query generates:

All_logs  = 14

Error = 2

Login = 4

Auth = 8

Where All_logs is also an eventtype which encomapsses all events: Error, Login and Auth

How can I rewrite this query so I will see count of eventtype excluding All_logs and Login events

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

thambisetty
SplunkTrust
SplunkTrust
‎08-06-2020 08:35 AM

 index=xyz | stats count by eventtype | search eventtype IN (“Error”,”Auth”)

————————————
If this helps, give a like below.

View solution in original post

Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎08-05-2020 11:36 PM

@noman377 

 

I used many dummy fields to make you understand 

| makeresults | eval _raw="eventtype,
All_logs,
Error|All_logs,
Login|All_logs,
Auth|All_logs"
| multikv forceheader=1 `comment("prepares sample dataset")`
| makemv eventtype delim="|" 
| eval eventtype_dup=eventtype
| mvcombine eventtype_dup delim=","
| rex field=eventtype_dup mode=sed "s/All_logs//g"
| fillnull eventtype_dup 
| eval eventtype_dup2=if(eventtype_dup=="",eventtype,eventtype_dup)
| stats count by eventtype_dup2

 

up vote if it solves your issue.

————————————
If this helps, give a like below.
0 Karma
Reply
Solved! Jump to solution

noman377
Explorer
‎08-06-2020 07:22 AM

@thambisetty , still seeing All_logs and Login events in the stats count 😞

0 Karma
Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎08-06-2020 07:33 AM

if you looked at my answer, it contains 4 rows like below

thambisetty_1-1596724312405.png

Look at eventtype field All_logs is present in all rows but if you see final output the count of All_logs below is 1 because All_logs is present in one row alone with out any other value.

thambisetty_0-1596724261671.png

 

————————————
If this helps, give a like below.
0 Karma
Reply
Solved! Jump to solution

noman377
Explorer
‎08-06-2020 08:15 AM

@thambisetty , I am sorry, my post probably was not very clear. Let me rephrase...
Original query:   index=xyz | stats count by eventtype

where All_logs encompasses every log in the search (100% coverage).

Current Result:

eventtype

count

All_logs

14

Error

2

Login

4

Auth

8

 

Expected Result:

eventtype

count

Error

2

Auth

8

 

Appreciate all your help.

Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

thambisetty
SplunkTrust
SplunkTrust
‎08-06-2020 08:35 AM

 index=xyz | stats count by eventtype | search eventtype IN (“Error”,”Auth”)

————————————
If this helps, give a like below.
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...