Splunk Search

How do I compare field results to counts?

bcarnot
Path Finder

Hi
I have three communication types: Start, Update, Restore.

Each event can have multiple communication types to multiple prems.

I am trying to declare success if the number of "restore" messages sent is equal or greater than the number of "start" messages.

Event 486 would be a success and 393, 404 and 406 would fail.

EVENT_ID type prem
393 restore 434
393 start 474
404 restore 21
406 start 10
406 restore 19
486 restore 1
486 start 1

<<| transaction source, EVENT_ID 
| rex "^(?[^,]+),(?[^,]+),(?<code>[^,]+),(?[^,]+),(?[^,\r\n]*)"
| rex field=source "(?[^-]*)_18"  
| rex "premisecount:\s(?\d+)"
|  rex field=source "(?[^_]*).csv"
| stats count sum(premisecount) by EVENT_ID,type | rename "sum(premisecount)" as prem ]
|table ,EVENT_ID, type, prem>>
</code>
0 Karma

SathyaNarayanan
Path Finder

You need to create a eval function for this

| rex "^(?[^,]+),(?[^,]+),(?[^,]+),(?[^,]+),(?[^,\r\n])" | rex field=source "(?[^-])18" | rex "premisecount:\s(?\d+)" | rex field=source "(?[^]*).csv" | stats count sum(premisecount) as Prem by EVENT_ID,type | eval Success = if (restore >= start , 1,0) |table ,EVENT_ID, type, Success

0 Karma

bcarnot
Path Finder

@SathyaNarayanan thank you for the response. The recommendation returns all zeros. I think this is because the count is by prem, not type. How can one tie the two together? The recommendation is exactly what is trying to be accomplished to count the successes and failures.
Thank you

0 Karma

bcarnot
Path Finder

sorry 406 would be a success

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...