Hello,
i have two searches where the text expressions are different(without fields) (Login Successful and Unsuccessful). I'd like to have the amount of user divided by country
Now i would like to merge this two searches in one chart divided by the country
The table should look like:
Columns are "Country" "Login Successful" "Login unsuccessful"
1st row for example: DE 20 5
I tried to use following search:
index="123" sourcetype="123" "Login successful" OR "Login unsuccessful"
|eval Successful_Logins=searchmatch("Login successful")
|eval Unsuccessful_Logins=searchmatch("Login unsuccessful")
|stats Successful_Logins Unsuccessful Logins by country
How i can merge two searches without fields (no fields are used for "Login (un)successful")?
Thank you in advance!
You can use searchmatch and eval in your stats expression.
index=123 sourcetype=123 "Login successful" OR "Login unsuccessful" | stats count(eval(searchmatch("Login successful"))) as Successful_Logins count(eval(searchmatch("Login unsuccessful"))) as Unsuccessful_Logins by country
You can use searchmatch and eval in your stats expression.
index=123 sourcetype=123 "Login successful" OR "Login unsuccessful" | stats count(eval(searchmatch("Login successful"))) as Successful_Logins count(eval(searchmatch("Login unsuccessful"))) as Unsuccessful_Logins by country
sorry it was my fault. now your search is working fine! Thanks!
Can you post the exact search you are running? What version of Splunk?
This exact search worked for me against Windows Security Log Data
*| stats count(eval(searchmatch("Success Audit"))) as Successful_Logins count(eval(searchmatch("Fail* Audit"))) as Unsuccessful_Logins
Error='The arguments to the 'searchmatch' function are invalid.
Another idea?