Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

merge two searches without available fields

rechteklebe
Path Finder
‎10-12-2012 05:20 AM

Hello,

i have two searches where the text expressions are different(without fields) (Login Successful and Unsuccessful). I'd like to have the amount of user divided by country

  1. index=123 sourcetype=123 country=* "Login successful" | stats count by country
  2. index=123 sourcetype=123 country=* "Login unsuccessful" | stats count by country

Now i would like to merge this two searches in one chart divided by the country
The table should look like:

Columns are "Country" "Login Successful" "Login unsuccessful"

1st row for example: DE 20 5

I tried to use following search:

index="123" sourcetype="123" "Login successful" OR "Login unsuccessful"
|eval Successful_Logins=searchmatch("Login successful")
|eval Unsuccessful_Logins=searchmatch("Login unsuccessful")
|stats Successful_Logins Unsuccessful Logins by country

How i can merge two searches without fields (no fields are used for "Login (un)successful")?

Thank you in advance!

Tags (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dart
Splunk Employee
Splunk Employee
‎10-12-2012 05:43 AM

You can use searchmatch and eval in your stats expression.

index=123 sourcetype=123 "Login successful" OR "Login unsuccessful" | stats count(eval(searchmatch("Login successful"))) as Successful_Logins count(eval(searchmatch("Login unsuccessful"))) as Unsuccessful_Logins by country

View solution in original post

Reply
Solved! Jump to solution
Solution

dart
Splunk Employee
Splunk Employee
‎10-12-2012 05:43 AM

You can use searchmatch and eval in your stats expression.

index=123 sourcetype=123 "Login successful" OR "Login unsuccessful" | stats count(eval(searchmatch("Login successful"))) as Successful_Logins count(eval(searchmatch("Login unsuccessful"))) as Unsuccessful_Logins by country
Reply
Solved! Jump to solution

rechteklebe
Path Finder
‎10-12-2012 05:59 AM

sorry it was my fault. now your search is working fine! Thanks!

0 Karma
Reply
Solved! Jump to solution

dart
Splunk Employee
Splunk Employee
‎10-12-2012 05:55 AM

Can you post the exact search you are running? What version of Splunk?

0 Karma
Reply
Solved! Jump to solution

dart
Splunk Employee
Splunk Employee
‎10-12-2012 05:54 AM

This exact search worked for me against Windows Security Log Data
*| stats count(eval(searchmatch("Success Audit"))) as Successful_Logins count(eval(searchmatch("Fail* Audit"))) as Unsuccessful_Logins

0 Karma
Reply
Solved! Jump to solution

rechteklebe
Path Finder
‎10-12-2012 05:51 AM

Error='The arguments to the 'searchmatch' function are invalid.
Another idea?

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...