Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

stats count zeroes

christoffertoft
Communicator
‎09-28-2017 07:57 AM

I have the following search term

.... | 
| stats count(eval(action="failure")) as fails, count(eval(action="success")) as successes by user, host
| stats list(host) as "Hosts Contacted", dc(host) as "Count of Hosts", list(fails) as "Fails per Hostname", count(fails) as "Total Fails", count(successes) as "Successful Logins" by user

Im getting a table like follows:

user.................hosts contacted...count of hosts,......fails per hostname...........total fails...........successful logins
username1............somehost.................2................1...................................2...........................2
.....................somehost2.................................1................................................................

As we can see, the query unsuccessfully determines the result of the login attempts. For comparison, if i add list(fails) to the final stats command they will show up as 0s, but the column with Total fails will still add them up. Does my query count 0s as values and add them in the count() function, or am I missing something else here? The goal is to list amount of fails and successful logins (e.g) display the total amount of failed logins per host and the amount of successful logins, grouped by a user. Essentially, it's the same for the successful logins, if i have 4 successful logins and 0 failed, both columns will show 4.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎09-28-2017 09:49 AM

Your second stats needs to use sum() rather than count(). You can also create a synthetic field to connect the count of fails or successes to the appropriate host name.

Try this...

 | stats count(eval(action="failure")) as fails, count(eval(action="success")) as successes by user, host
 | eval hostfails = "host=".host." fails=".fails
 | eval hostsucc = "host=".host." successes=".successes
 | stats values(host) as "Hosts Contacted", dc(host) as "Count of Hosts", 
         values(hostfails) as "Fails by Host","
         sum(fails) as "Total Fails",
         values(hostsucc) as "Success by Host",
         sum(successes) as "Total Successful Logins" 
         by user

View solution in original post

Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎09-28-2017 09:49 AM

Your second stats needs to use sum() rather than count(). You can also create a synthetic field to connect the count of fails or successes to the appropriate host name.

Try this...

 | stats count(eval(action="failure")) as fails, count(eval(action="success")) as successes by user, host
 | eval hostfails = "host=".host." fails=".fails
 | eval hostsucc = "host=".host." successes=".successes
 | stats values(host) as "Hosts Contacted", dc(host) as "Count of Hosts", 
         values(hostfails) as "Fails by Host","
         sum(fails) as "Total Fails",
         values(hostsucc) as "Success by Host",
         sum(successes) as "Total Successful Logins" 
         by user
Reply
Solved! Jump to solution

christoffertoft
Communicator
‎09-29-2017 12:09 AM

Wow, this helped! thanks alot for the help!

Reply
Solved! Jump to solution

christoffertoft
Communicator
‎09-29-2017 12:22 AM

Is there an option to not show the field "Success by Host" if successes=0 ? (e.g. show the field but no value?)
EDIT: To clarify, hosts that have no successful logins could show a blank (" ") instead of successes=0

Reply
Solved! Jump to solution

DalJeanis
Legend
‎09-29-2017 07:19 AM

option 1 - leave them off completely...

 | eval hostfails =  case(fails>0,"host=".host." fails=".fails)
 | eval hostsucc = case(successes>0,"host=".host." successes=".successes)

option 2 - list the name without anything after it...

 | eval hostfails =  "host=".host.if(fails>0," fails=".fails,"")
 | eval hostsucc = "host=".host.if(successes>0," successes=".successes,"")
0 Karma
Reply
Solved! Jump to solution

christoffertoft
Communicator
‎09-28-2017 08:07 AM

Sorry for the bad formatting, I don't know how to tabulate data..

0 Karma
Reply
Solved! Jump to solution

grittonc
Contributor
‎09-28-2017 08:58 AM

What's the outcome of just the first stats statement?

 .... | 
 | stats count(eval(action="failure")) as fails, count(eval(action="success")) as successes by user, host
0 Karma
Reply
Solved! Jump to solution

christoffertoft
Communicator
‎09-29-2017 12:07 AM

fails will be either 0 or 1, and the same for successes

something like:

user1-------- host1-----1---0
user2---------host1-----1---1

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...