![]() Specify field names that contain dashes or other characters Using the lower function, populate the field with the lowercase version of the values in the username field. Convert values to lowercaseĬreate a new field in each event called lowuser. | eval error = if(status = 200, "OK", "Problem") 3. Otherwise set the error field value to Problem. Using the if function, set the value in the error field to OK if the status value is 200. Use the if function to analyze field valuesĬreate a new field called error in each event. Calculate the speed by dividing the values in the distance field by the values in the time field. Create a new field that contains the result of a calculationĬreate a new field called speed in each event. See Quick Reference for SPL2 eval functions.ġ. Many of these examples use the evaluation functions. ![]() To learn more about the eval command, see How the eval command works. Other domain suffixes are counted as other.The following are examples for using the SPL2 eval command. If the value of from_domain matches the regular expression, the count is updated for each suffix. The eval eexpression uses the match() function to compare the from_domain to a regular expression that looks for the different suffixes in the domain.The stats count() function is used to count the results of the eval expression. The results are then piped into the stats command.The mvindex() function is used to set from_domain to the second value in the multivalue field accountname.The first value of accountname is everything before the symbol, and the second value is everything after. The split() function is used to break the mailfrom field into a multivalue field called accountname.The from_domain is defined as the portion of the mailfrom field after the symbol. The first part of this search uses the eval command to break up the email address in the mailfrom field.| eval from_domain=mvindex(accountname,-1) The eval command in this search contains two expressions, separated by a comma. For example, the email might be To, From, or Cc).įind out how much of the email in your organization comes from. You should be able to run this search on any email data by replacing the sourcetype=cisco:esa with the sourcetype value and the mailfrom field with email address field name in your data. Use eval expressions to categorize and count fields This example uses sample email data. The results appear on the Statistics tab and look something like this: The counts of both types of events are then separated by the web server, using the BY clause with the host field.The second clause does the same for POST events.Then, using the AS keyword, the field that represents these results is renamed GET. The first clause uses the count() function to count the Web access events that contain the method field value GET. ![]() This example uses eval expressions to specify the different field values for the stats command to count. Sourcetype=access_* | stats count(eval(method="GET")) AS GET, count(eval(method="POST")) AS POST BY host Run the following search to use the stats command to determine the number of different page requests, GET and POST, that occurred for each Web server. Use the time range All time when you run the search. ![]() To try this example on your own Splunk instance, you must download the sample data and follow the instructions to get the tutorial data into Splunk. Use eval expressions to count the different types of requests against each Web server This example uses the sample data from the Search Tutorial but should work with any format of Apache web access log. ![]() Status=* | stats dc(eval(if(status=404, clientip, NULL()))) AS dc_ip_errors Status=* | eval dc_ip_errors=if(status=404,clientip,NULL()) | stats dc(dc_ip_errors)Īs an alternative, you can embed an eval expression using eval functions in a stats function directly to return the same results. Then the stats function is used to count the distinct IP addresses. This is a shorthand method for creating a search without using the eval command separately from the stats command.įor example, the following search uses the eval command to filter for a specific error code. You can embed eval expressions and functions within any of the stats functions. Use stats with eval expressions and functions ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |