if you have 20 original events and 10 of them have two of your fields, the sum of your stats will show 30. Code stats count by vendoridcode Just build a new field using eval and. stats count by Category,Status stats values (Status) AS Status, values (count) AS Count by Category.Keep in mind that the latter method will produce overlapping counts, i.e. Timechart with multiple fields : r/Splunk - Reddit Working with multivalue fields. The next command creates a multivalue field based on the delimiter, which prepares the field for counting by the stats command. The eval command will again create a new field, "helper", which is just a concatenation of all the other fields delimited by. transpose 0 search 'row 1' > 0 transpose 0 headerfieldcolumn fields - column. I have webserver request logs containing browser family and IP address so should be able to get a count of different. How to get a distinct count across two different fields. you can get it like this: stats distinctcount (uafamily) uaip dd by uafamily,cpipstats count (uaip) 0 Karma. Of course we are talking about transpose. May be dc doesn't work on multiple fields. But for display purposes, you can fool the system by converting columns to rows and take out those you don't want. | eval helper=PhpFatal." ".DrupalPHPFatal." ".AccessDenied." ".PageNotFound Splunk (and most data query languages) treat columns as solemn. stats sum(count) as count avg(count) as avg stdev(count) as stdev sum(eval(if(time > relativetime(now. If your events can contain more than one of the initial fields, you can do this: sourcetype=testing PhpFatal="PHP Fatal error" OR DrupalPHPFatal="Error: PHP FATAL Error" OR AccessDenied="Access Denied" OR PageNotFound="page not found" stats count by severity signature dest time. The first command will create a new field named "message", and depending on which of the other fields the event contains it will use the data from that field as its content. | eval message=coalesce(PhpFatal, DrupalPHPFatal, AccessDenied, PageNotFound) If one event can only ever contain one of those fields, you can use this command: sourcetype=testing PhpFatal="PHP Fatal error" OR DrupalPHPFatal="Error: PHP FATAL Error" OR AccessDenied="Access Denied" OR PageNotFound="page not found" ![]() if one event can contain more than one of your fields or whether they are mutually exclusive in one event. (The numbers changed because this is a live splunkd.Sure! But it depends on how your events look, i.e. ![]() (The numbers changed because this is a live splunkd.) Index=_internal sourcetype!=splunkd_ui_access earliest=-5h json OR python OR foobar | stats count(eval(searchmatch("json"))) as json count(eval(searchmatch("python"))) as python count(eval(searchmatch("foobar"))) as foobar Index=_internal sourcetype!=splunkd_ui_access json OR python OR foobar There are multiple fields like time number description severity status restoreduration I want to take total count, count when status has true value, values of restoreduration when severity is 1. Of course we are talking about transpose. Im newbie with Splunk and Im trying make a query to count how many requests have a determinate value, but this counter must be incremented if a specific attribute is on the request. ![]() Splunk (and most data query languages) treat columns as solemn.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |