Splunk Search

Stats showing count of 1 result vs NOT that result

KindaWorking
Path Finder

I am super new to using the powerful eval command but cannot quite get my head around the syntax. Can someone help me?

I am trying to show stats to show how many useragents have the word bot somewhere in the field vs those that do not.

... | eval type=BOT if(useragent="*bot*")|eval type=NOT if(useragent!="*bot*")|stats count by type
Tags (4)
0 Karma
1 Solution

_d_
Splunk Employee
Splunk Employee

Try:

    ... | eval type=if(match(useragent, ".*bot.*"), "BOT", "NOT")|stats count by type

View solution in original post

KindaWorking
Path Finder

Hi ppablo, it said that I did not have enough karma.

0 Karma

ppablo
Retired

Thanks for confirming. It should be fixed now, but if you're still unable to comment on other users' answers/comments, just let me know.

0 Karma

KindaWorking
Path Finder

Thanks both d and somesoni2, you were both correct. Thanks!
(I cannot add comments to your answers)

ppablo
Retired

Hi @KindaWorking

Glad you got two awesome answers! Question though for you. What happened exactly when you tried to comment on their answers? Did you receive an error or did a message pop up saying something about not having enough karma or permissions? This might be a bug we thought was fixed already.

0 Karma

_d_
Splunk Employee
Splunk Employee

Try:

    ... | eval type=if(match(useragent, ".*bot.*"), "BOT", "NOT")|stats count by type

somesoni2
SplunkTrust
SplunkTrust

Try like this

your base search | eval type=if(like(useragent,"%bot%"),"BOT","NOT") | stats count by type
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...