![]() The eval command in this search contains two expressions, separated by a comma. For example, the email might be To, From, or Cc).įind out how much of the email in your organization comes from. You should be able to run this search on any email data by replacing the sourcetype=cisco:esa with the sourcetype value and the mailfrom field with email address field name in your data. Use eval expressions to categorize and count fields This example uses sample email data. The results appear on the Statistics tab and look something like this: The counts of both types of events are then separated by the web server, using the BY clause with the host field.The second clause does the same for POST events.Then, using the AS keyword, the field that represents these results is renamed GET. The first clause uses the count() function to count the Web access events that contain the method field value GET.This example uses eval expressions to specify the different field values for the stats command to count. Sourcetype=access_* | stats count(eval(method="GET")) AS GET, count(eval(method="POST")) AS POST BY host Run the following search to use the stats command to determine the number of different page requests, GET and POST, that occurred for each Web server. Use the time range All time when you run the search. To try this example on your own Splunk instance, you must download the sample data and follow the instructions to get the tutorial data into Splunk. Use eval expressions to count the different types of requests against each Web server This example uses the sample data from the Search Tutorial but should work with any format of Apache web access log. Status=* | stats dc(eval(if(status=404, clientip, NULL()))) AS dc_ip_errors Status=* | eval dc_ip_errors=if(status=404,clientip,NULL()) | stats dc(dc_ip_errors)Īs an alternative, you can embed an eval expression using eval functions in a stats function directly to return the same results. Then the stats function is used to count the distinct IP addresses. This is a shorthand method for creating a search without using the eval command separately from the stats command.įor example, the following search uses the eval command to filter for a specific error code. You can embed eval expressions and functions within any of the stats functions. ![]() Use stats with eval expressions and functions
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |