Hi, I am hoping to use the search below, to get the counts for the categories in DIRECTION and the categories in TYPE.
If I end the search with just: | stats count DIRECTION
I get the correct counts for those.
If I end with just: | stats count TYPE
I get the correct counts for 'TYPE'.
I want to get to put them together, but no luck for: | stats count by DIRECTION TYPE
(no help if I put a comma between them).
The search and the 'evals' do pull the data desired.
Thanks,
index=aaa OR index=bbb sourcetype=ccc OR sourcetype=ccc
(extin "from=") OR (extout "from=") OR "virusname=" OR "cmd=judge module=access rule=pdrbl"
| eval DIRECTION = case (direction=="inbound", "Inbound", direction=="outbound", "Outbound")
| eval TYPE=case ( rule=="pdrbl", "pdrbl", match(virusname,"\S+"), "virus")
| stats count by DIRECTION TYPE
Try this
index=aaa OR index=bbb sourcetype=ccc OR sourcetype=ccc (extin "from=") OR (extout "from=") OR "virusname=" OR "cmd=judge module=access rule=pdrbl" | eval DIRECTION = case (direction=="inbound", "Inbound", direction=="outbound", "Outbound") | eval TYPE=case ( rule=="pdrbl", "pdrbl", match(virusname,"S+"), "virus") | eval countfield=case(isnotnull(DIRECTION) AND isnotnull(TYPE),DIRECTION.",".TYPE,isnull(DIRECTION),TYPE,isnull(TYPE),DIRECTION) | eval countfield=split(countfield,",") | mvexpand countfield | stats count by countfield
Actually, that worked. The slash got lost in: match(virusname,"\S+") at some point but when I put it back in, it worked as hoped. Thank you very much!
Thanks, it is closer. It gives the results of "Inbound", "Outbound" and "pdrbl" but not for "virus" - which I know does have counts. Am going through what you altered to make sense of it.
Try this
index=aaa OR index=bbb sourcetype=ccc OR sourcetype=ccc (extin "from=") OR (extout "from=") OR "virusname=" OR "cmd=judge module=access rule=pdrbl" | eval DIRECTION = case (direction=="inbound", "Inbound", direction=="outbound", "Outbound") | eval TYPE=case ( rule=="pdrbl", "pdrbl", match(virusname,"S+"), "virus") | eval countfield=case(isnotnull(DIRECTION) AND isnotnull(TYPE),DIRECTION.",".TYPE,isnull(DIRECTION),TYPE,isnull(TYPE),DIRECTION) | eval countfield=split(countfield,",") | mvexpand countfield | stats count by countfield
I appreciate the answer, but no, that isn't what I was looking for. DIRECTION and TYPE are independent of each other. I want to see counts for all 4 categories:
Inbound: nn
Outbound: nn
virus: nn
pdrbl: nn
So basically, instead of having 2 separate searches dues to separate indexes, I want the results from a single search. Only way I could find to do that was with the eval commands.
Thanks.
I appreciate the answer, but no, that isn't what I was looking for. DIRECTION and TYPE are independent of each other. I want to see counts for all 4 categories:
Inbound: nn
Outbound: nn
virus: nn
pdrbl: nn
So basically, instead of having 2 separate searches dues to separate indexes, I want the results from a single search. Only way I could find to do that was with the eval commands.
Thanks.