Splunk Search

How to find the number of fields that consists "Passed" and also the Total number of fields available.

vinod743374
Communicator

This is my sample data. i need the total "passed" 

These are the Headers, Node Name _time, Anti-Spoofing,  Rule Banner , Rule Http Rule Palo alto Username SSH Timeout Ssh Access Tacacs Telnet Rule console port config ntp server Result

NDL-ALM-GSD-BUS-FW-012021-06-24 17:27:35PassedPassedPassedPassedPassedPassedPassedPassedPassedPassedPassed
USA-DNV-CUS-BUS-FW-022021-06-24 17:27:35PassedPassedPassedPassedPassedPassedPassedPassedPassedPassedPassed
Labels (3)
0 Karma
1 Solution

vinod743374
Communicator

This is the _raw data i filtered like this. i want to know the count of the total "passed"

 

Dns Rule=Passed, HOSTNAME=Passed, username=Passed, ssh Timeout rule=Passed snmp rule=Passed, udld Rule=Passed, Enable Password=Passed, Snmp config rule=Passed, Line Vty 0 4 Timeout & acl=Passed, Line Con 0 timeout=Passed, Service Policy=Passed, Https Rule=Passed, Line Con 0=Passed, Line aux 0=Passed, Don't Username=Passed, Service Password Encryption=Passed, Aaa Server-GE=Passed, Line Vty 5 15=Passed, Image Verification=Passed, Bootp Server=Passed,Line Vty 0 4=Passed,

View solution in original post

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@vinod743374 

Can you please share sample _raw events and expected OP from that event?

0 Karma

vinod743374
Communicator

This is the _raw data i filtered like this. i want to know the count of the total "passed"

 

Dns Rule=Passed, HOSTNAME=Passed, username=Passed, ssh Timeout rule=Passed snmp rule=Passed, udld Rule=Passed, Enable Password=Passed, Snmp config rule=Passed, Line Vty 0 4 Timeout & acl=Passed, Line Con 0 timeout=Passed, Service Policy=Passed, Https Rule=Passed, Line Con 0=Passed, Line aux 0=Passed, Don't Username=Passed, Service Password Encryption=Passed, Aaa Server-GE=Passed, Line Vty 5 15=Passed, Image Verification=Passed, Bootp Server=Passed,Line Vty 0 4=Passed,

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@vinod743374 

Can you please try this?

YOUR_SEARCH 
| rex field=_raw "=(?<a>Passed)" max_match=0 | eval count=mvcount(a) | fields - a

 

My Sample Search :

| makeresults | eval _raw="Dns Rule=Passed, HOSTNAME=Passed, username=Passed, ssh Timeout rule=Passed snmp rule=Passed, udld Rule=Passed, Enable Password=Passed, Snmp config rule=Passed, Line Vty 0 4 Timeout & acl=Passed, Line Con 0 timeout=Passed, Service Policy=Passed, Https Rule=Passed, Line Con 0=Passed, Line aux 0=Passed, Don't Username=Passed, Service Password Encryption=Passed, Aaa Server-GE=Passed, Line Vty 5 15=Passed, Image Verification=Passed, Bootp Server=Passed,Line Vty 0 4=Passed" 
|rename comment as "Upto Now is sample data only" 
| rex field=_raw "=(?<a>Passed)" max_match=0 | eval count=mvcount(a)  | fields - a


 Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma

vinod743374
Communicator

Thank you so much ,
its is working .
but if in the place of Passed,  i have some Failed message like :

Critical - Pattern 'disable-http yes' was not found Pattern 'https yes' was not found

 

Can we count these Error Failed messages also ???
kindly help me with this also.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@vinod743374 

Can you please try this?

YOUR_SEARCH
| rex field=_raw "=(?<a>Passed)" max_match=0 | eval passed_count=mvcount(a) | fields - a
| rex field=_raw "=(?<a>Failed)" max_match=0 | eval failed_count=mvcount(a) | fields - a

 

My Sample Search :

| makeresults | eval _raw="Dns Rule=Passed, HOSTNAME=Passed, username=Passed, ssh Timeout rule=Passed snmp rule=Passed, udld Rule=Passed, Enable Password=Passed, Snmp config rule=Passed, Line Vty 0 4 Timeout & acl=Passed, Line Con 0 timeout=Passed, Service Policy=Passed, Https Rule=Passed, Line Con 0=Passed, Line aux 0=Passed, Don't Username=Passed, Service Password Encryption=Passed, Aaa Server-GE=Passed, Line Vty 5 15=Passed, Image Verification=Passed, Bootp Server=Passed,Line Vty 0 4=Passed, xyz=Failed" 
|rename comment as "Upto Now is sample data only" 
| rex field=_raw "=(?<a>Passed)" max_match=0 | eval passed_count=mvcount(a) | fields - a
| rex field=_raw "=(?<a>Failed)" max_match=0 | eval failed_count=mvcount(a) | fields - a

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma

vinod743374
Communicator

Its not gonna workout ,
because there is no such "Failed" in the _raw 

let me share you the _raw event of that .  i just bold the failed message.

Dns Rule=Passed, HOSTNAME=Passed, username=Passed, ssh Timeout rule=Passed, Node Name="HUN-BUD-GE-COR-SW-01_stack.ROMA.AD", snmp rule=Passed, udld Rule=Passed, Enable Password=Passed, Snmp config rule=Passed, Line Vty 0 4 Timeout & acl=Passed, Line Con 0 timeout=Passed, Service Policy=Passed, Https Rule=Passed, Line Con 0=Passed, Line aux 0=Passed, Node Ip Address="10.198.4.1", Don't Username=Passed, Service Password Encryption=Passed, AaaServer-GE="Critical - Pattern 'aaa new-model' was found On line 28 'aaa new-model' Pattern 'aaa authentication login default group tacacs' was not found Pattern 'aaa authorization exec default group tacacs' was not found Pattern 'aaa accounting exec default start-stop group tacacs' was not found Pattern 'tacacs-server host 10.198.60.40' was not found Pattern 'tacacs-server host 10.198.40.40' was not found Pattern 'tacacs-server directed-request' was not found Pattern 'aaa authentication enable default group tacacs' was not found Pattern 'aaa accounting commands 15 default start-stop group tacacs' was not found", Line Vty 5 15=Passed, Image Verification=Passed, Bootp Server=Passed, Config Title="4/26/2021 01:03 PM - Running", Line Vty 0 4=Passed, Logging Rule=Passed, Banner Rule=Passed, Config Type=Running, Finger Rule=Passed, Http Server=Passed, Name Server=Passed, Pad Service=Passed,

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@vinod743374 

Is that specific pattern that we can say Failed for this?

AaaServer-GE="Critical - Pattern 'aaa new-model' was found On line 28 'aaa new-model' Pattern 'aaa authentication login default group tacacs' was not found Pattern 'aaa authorization exec default group tacacs' was not found Pattern 'aaa accounting exec default start-stop group tacacs' was not found Pattern 'tacacs-server host 10.198.60.40' was not found Pattern 'tacacs-server host 10.198.40.40' was not found Pattern 'tacacs-server directed-request' was not found Pattern 'aaa authentication enable default group tacacs' was not found Pattern 'aaa accounting commands 15 default start-stop group tacacs' was not found"

 

0 Karma

vinod743374
Communicator

Yes,
the Content may changes for different Events.

"Critical - "  is common in all the things the remaining  gets changed.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@vinod743374 

Can you please try this?

YOUR_SEARCH
| rex field=_raw "=(?<a>Passed)" max_match=0 
| rex field=_raw "=\"(?<b>Critical\s-) " max_match=0 
| eval passed_count=mvcount(a), failed_count=mvcount(b) | fields - a,b

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma

vinod743374
Communicator

Thank you so much it is working.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Glad to help you @vinod743374 

But you supposed to accept my last answer  🙂  

0 Karma
Get Updates on the Splunk Community!

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...