Use eval expressions to count the different types of requests against each Web server This example uses the sample data from the Search Tutorial but should work with any format of Apache web access log. Status=* | stats dc(eval(if(status=404, clientip, NULL()))) AS dc_ip_errors Status=* | eval dc_ip_errors=if(status=404,clientip,NULL()) | stats dc(dc_ip_errors)Īs an alternative, you can embed an eval expression using eval functions in a stats function directly to return the same results. Then the stats function is used to count the distinct IP addresses. This is a shorthand method for creating a search without using the eval command separately from the stats command.įor example, the following search uses the eval command to filter for a specific error code. You can embed eval expressions and functions within any of the stats functions. You create a hidden panel and fields which accepts input from the timerange picker, (the fancy SPL below will also convert from relative to absolute time), it than does some math on the epoch time, i.e.Use stats with eval expressions and functions Here's the question I asked and here's how I did it. I had the exact scenario about a year ago. If this helped you out, please feel free to upvote Try for yourself, change the single quotes to doubles on the 3rd line and watch the output change | makeresults As for $$, those are reserved for tokens which are heavily used in dashboards to pass values. If you put double quotes around them like this | eval newfield="foo" it would be foo since your explicitly wanting the value with double quotes. Single quotes around the field represent the value you want from the field so assuming this foo=barr and you had | eval newfield='foo', your newfield value would be bar. The only way this would make sense is if you had a dashboard and wanted to pass the time from the timerange picker to the field and do some type of math to it and pass the new results to other commands.Īs for your point one. I'm still unsure about your use-case and why you would want to do it this way. You could forgo the |makeresults all together and use simple evals. If you start with makeresults then you cant pipe into indexed data since Splunk is only looking at the newly generated data. The reason it's not working is because your using a generating command to start your SPL then trying to tack on | search index=. and his subsearch does not end creating a plain string, which can be used in parent searchīut when it is anywhere else in the pipeline, then it filters events arriving to it from previous command. Is the same as just index=aws sourcetype=aws:guarddutyīut when it is anywhere else in the pipeline, then it filters events arriving to it from previous was on the right direction, just that the subsearch has to return a valid search string. And | search index=aws sourcetype=aws:guardduty What confused you is that search command, when it is first in the query pipeline, then it retrieves data from the indexes according to the condition. foo, and play with filtering by that field: | makeresults If it is still not clear, let's extend your query even more by adding some additional field, e.g. To show you what you are actually doing in your expression, try to modify it by removing all conditions in the search command. However, this search command will only filter events from the results you are already passing to it and those results do not contain fields index and sourcetype and don't have a timestamp (you removed field _time), which you are also trying to filter on by adding earliest and latest constraints. It is because in your search query you are creating a result set first and then you add filter using search command. Try the following: index=aws sourcetype=aws:guardduty [ | makeresults | eval earliest=strptime(":20:00:00","%m/%d/%Y:%H:%M:%S") | eval | return earliest latest to answer your question, why your technique doesn't work. and his subsearch does not end creating a plain string, which can be used in parent search Was on the right direction, just that the subsearch has to return a valid search string.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |