Hello,
I'm trying to change a value of a field using `eval case` then do a `stats count` based on that field. I'm getting no results.
In the code below I'm searching for an event with 2 specific field values, then alter the value to something meaningful then attempt to do a `stats` enter code here on it.
index=myindex sourcetype=mysourcetype
(action.objectType=core.user_auth.login_success OR action.objectType=core.user_auth.login_failed) |
eval status=case(action.objectType==core.user_auth.login_success,"Login Successful",action.objectType==core.user_auth.login_failed,"Login Failed")|
stats count by status
The closest Splunk answer I can find is this https://answers.splunk.com/answers/98575/unable-to-use-case-with-stats.html?utm_source=typeahead&utm_medium=newquestion&utm_campaign=no_votes_sort_relev but still not returning any results. What am I doing wrong? I verified the field "action.objectType" exists with the values I'm checking for.
Thanks,
↧