Solved: Re: report only specific eventtypes

EricPartington · ‎05-28-2011

I would like to report only on specific eventtypes.

I have a search that returns the eventtypes that i want to chart vs. each other (firewall-accept vs firewall-deny). But I also have a number of other eventtypes that apply to this data that also show up in this search (eventtype=cisco_firewall)

How can I only show the two eventtypes that I care about in the timechart (accept vs deny)

mw · ‎05-29-2011

Your search could either look something like:

(eventtype="firewall-accept" OR eventtype="firewall-deny") other search terms | timechart count by eventtype

or it could filter to the eventtypes

... | eval a=mvfilter(eventtype == "firewall-accept" or eventtype == "firewall-deny") | search a=* | timechart count by a

The first would probably be the cleanest way, if you're able to use either method.

View solution in original post

stollefsen · ‎07-25-2016

Neither 2 options worked for me in version 6.x.x. Interesting. I went back and disabled the one eventtype, I needed removed in my dashboard.

mw · ‎05-29-2011

Your search could either look something like:

(eventtype="firewall-accept" OR eventtype="firewall-deny") other search terms | timechart count by eventtype

or it could filter to the eventtypes

... | eval a=mvfilter(eventtype == "firewall-accept" or eventtype == "firewall-deny") | search a=* | timechart count by a

The first would probably be the cleanest way, if you're able to use either method.

mfscully · ‎04-05-2015

Second option solved my problem as well! Thanks!

klaurean · ‎07-02-2012

I had this same problem and the second option was perfect. Thank you!

EricPartington · ‎05-29-2011

The second query works like a charm, thanks

report only specific eventtypes

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!