AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
Splunk stats count eval12/24/2023 ![]() ![]() (And for extra credit, how would I redo the first query to do option 1 and 2? I keep trying to modify the query and does not give me the expected results. How could I redo that query to omit the count field? This is fine except when I turn this into a bar chart, the count column skews the other values (since it is so much larger). However, this includes the count field in the results. I have tried option three with the following query: normalized_source=http_plugin (detail=/online/userIdentify OR detail=/online/successfulLogin OR detail=/online/home) | stats count, avg(elapsed), median(elapsed), p90(elapsed) by detail | where count > 10 I don't really know how to do any of these (I'm pretty new to Splunk). Show only the results where count is greater than, say, 10. I'm newbie with Splunk and I'm trying make a query to count how many requests have a determinate value, but this counter must be incremented if a specific attribute is on the request. There are 3 ways I could go about this:ģ. stats trick to generate a single event and execute the xpath statement: stats count eval. Hi There, I am looking to produce an output where the field with maximum count is display based on another field. I'd like to remove that result so I just show the three, because I am interested in the visualization of this (and I don't want a random 4th result). For instance, in the previous example, the fields. Your base search which gives fields time status errors count eventstats max (count) as max by status errors where countmax fields -max. In fact, there are only 2 or 3 logs of the "successfullogin" whereas there are 40,000+ of all the other. ![]() However, you probably don’t know all the possibilities eval is capable of performing. Eval command is incredibly robust and one of the most commonly used commands. The "successfullogin" exists in the logs because of tests done against the production environment, but doesn't reflect useful data. What is the eval command in Splunk The eval command is a commonly used command in Splunk that calculates an expression and applies that value to a brand new destination field. ![]() So an issue I run into is it matches both where detail equals "successfulLogin" as well as "successfullogin" (with a second lowercase L). Stats avg(elapsed), median(elapsed), p90(elapsed) by detail I have an example query where I show the elapsed time for all log lines where detail equals one of three things, and I show the stats of the elapsed field: normalized_source=http_plugin (detail=/online/public/userIdentify OR detail=/online/successfulLogin OR detail=/online/home) | Hi, I am trying to get a table type of alerting but I am not getting the output index ops host Srxxxx sourcetypeiislogs (HttpStatusCode 400 OR HttpStatusCode 401 OR HttpStatusCode 403 OR HttpStatusCode 404 OR HttpStatusCode 405) AND (loadbalancer OR gateway OR IFT OR widget. ![]()
0 Comments
Read More
Leave a Reply. |