Splunk Search

Sum of conditional if with wildcard

jclemons7
Path Finder

Hello all,

I have the following search and I can't seem to "trick" it into giving me the data I want... Essentially, I want a table by timestamp and user which counts occurrences of wildcard hits. Here's my lame attempt to get it working..

event="standard"
| regex _raw!=(?i)"(fileofinterest.txt|objectofinterest.txt|otherthing.bat)"
| eval type1_if=if(InterestingField="%fileofinterest.txt%", 1, 0)
| eval type2_if=if(InterestingField="%objectofinterest.txt%", 1, 0)

I want to get a table that looks like this:

_timestamp | user | type1_if_total | type2_if_total | type_if_total

For each user and _timestamp

Any help is greatly appreciated...

0 Karma
1 Solution

woodcock
Esteemed Legend

I think you are not asking for what you really desire but assuming I am incorrect, you can what you asked like this:

event="standard"
| regex _raw!=(?i)"(fileofinterest.txt|objectofinterest.txt|otherthing.bat)"
| stats count(eval(match(InterestingField,"%fileofinterest.txt%") AS type1_if_total 
count(eval(match(InterestingField, "%objectofinterest.txt%") AS type2_if_total BY _timestamp user
| eval type_if_total = type1_if_total + type2_if_total 

View solution in original post

maciep
Champion

something like this?

... | stats count(eval(type1_if=1)) as type1_if count(eval(type2_if=1)) as type2_if count(eval(type1_if=1 OR type2_if=1)) as type_if by _timestamp user
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Any sample logs??

0 Karma

woodcock
Esteemed Legend

I think you are not asking for what you really desire but assuming I am incorrect, you can what you asked like this:

event="standard"
| regex _raw!=(?i)"(fileofinterest.txt|objectofinterest.txt|otherthing.bat)"
| stats count(eval(match(InterestingField,"%fileofinterest.txt%") AS type1_if_total 
count(eval(match(InterestingField, "%objectofinterest.txt%") AS type2_if_total BY _timestamp user
| eval type_if_total = type1_if_total + type2_if_total 

jclemons7
Path Finder

So, this is sort of working I think... but it seems like my group is only returning one column for each user.. so I will get a count of type2_if_total for a given user I won't get a count of type1_if_total or visa versa. I need to know the total count of both type1_if_total and type2_if_total for each user.

0 Karma

woodcock
Esteemed Legend

If you are only getting a count of one it is because that is what is really there. If a user has some of each, this search WILL count both and each field will be non-zero. My solution is a complete solution for your need as you described it.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...