Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

search not returning expected results

crossap
Path Finder
‎05-14-2015 06:38 AM

Hi,

I am using DBConnect to connect to a DB export from Qualys

This export shows the results of a scan to determine if autoplay is disabled

I want to create a % machines that are compliant - the table has

ID | HOST_ID | CONTROL_ID | STATUS

when using the below search it shows me 0 results in passed and the total machine number is 575 (passed & failed)

| dbquery "DB_NAME" "SELECT * FROM SANS0503" | stats count(eval(STATUS=Passed)) as Passed count as total

If I perform | dbquery "DB_NAME" "SELECT * FROM SANS0503" | search STATUS=Passed I get the result of 551 (which is great) but I do not understand why I am getting 0?

thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-14-2015 06:45 AM

Have you tried ...| stats count(eval(STATUS="Passed")) ...?

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎05-14-2015 06:45 AM

Have you tried ...| stats count(eval(STATUS="Passed")) ...?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

crossap
Path Finder
‎05-14-2015 06:49 AM

Hi Rich,

that worked perfectly - thank you so much!

Sorry to be annoying but why does it require ""

a very similar search

stats count(eval(FAILED<1)) as success count as total | eval Compliant %=success/total*100

Works perfectly without?

thanks

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎05-14-2015 07:00 AM

You're welcome.

In eval(STATUS=Passed) Splunk is comparing the field STATUS to the field Passed.
in eval(STATUS="Passed") Splunk is comparing the field STATUS to the string "Passed".
in eval(FAILED&lt;1) Splunk is comparing the field FAILED to the number 1.

Yes, it's a little inconsistent with the search command that accepts strings without quotes.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

crossap
Path Finder
‎05-14-2015 07:04 AM

Thanks again Rich

It's just I am trying work out where I am going wrong, to avoid posting to many community questions 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...