Splunk Total Count

Splunk Total CountTo add existing panels from the Visualize Library: In the dashboard toolbar, click Add from library. The values in your output doesn't seem to match the query you wrote (percentage calculation). invoice=50, customer bill=100, credit card=75 across all email domains. 1,770 2 2 gold badges 19 19 silver badges 34 34 bronze badges. For example: sum (bytes) 3195256256. In your case the reason you're getting 0 results is that everything before the first pipe character is interpreted by Splunk as being keywords it should search for. Below I have provided the search I am using to get the total VPN Count. Description The addtotals command computes the arithmetic sum of all numeric fields for each search result. Splunk, Splunk>, Turn Data Into Doing, Data-to. Overview The CLI command show system statistics displays packet rate, throughput, and session count information. If stats are used without a by clause only one row is returned, which is the aggregation over the entire incoming result set. Description Returns the average of the values of the field specified. Using a simple example: count the number of events for each host name. Field and object mappings, as well as field aliases count towards this limit. get total count and average count. The Grafana Cloud forever free tier includes 3 users and up to 10k metrics series to support your monitoring needs. output plugin will flush the chunk when actual size reaches. Solved: Chart count of results per day. Total Expenses are calculated using the …. For non-clustered indexes only, you can optionally use Splunk Web to configure the path to your indexes. Solved: Stats count & chart over combo?. I used the same it worked for me. you can also display both the information: index=* earliest=-24h@h latest=now | stats count stats dc (sources) as sources by index. The vulnerability is also known as Log4Shell by security …. When the limit is reached, the eventstats command processor stops …. I want to display a timechart with total number of users for a day. I found another solution which is to use addtotal. stats count (ip) as ip, count (login) as login, count (bcookie) as bcookie. The software is responsible for splunking data, which means it correlates, captures, and indexes real-time data, from which it creates alerts, dashboards, graphs, reports, and visualizations. so, I want the total count in my email subject and the break up in the report. now the data is like below, count 300 I want the results like mar apr may 100 100 100 How to bring this data in search?. Lets say we have data from where we are getting the splunk queries as events. Message = "symbolName:" When I run the above query, I get the below results: myappstatus got Created, symbolName: AAPL ElapsedTime: 0. In Grafana, navigate to the dashboard with the table with the columns that you want to filter. | chart count over VendorCountry by product_name limit=5 Results Example: 24. In the Collection Name field, enter a unique, memorable name for this input. The search produces the following search results: host. This count is added to the results of the previous search with the append command. It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card! Review: SOAR (f. Third Quarter 2023 Financial Highlights. The du command can show the size of a file in human-readable format, which makes it easier to interpret the results. Use _____ to see events correlated together, or grouped by start and end values. This function processes field values as strings. This takes the foo2 valid JSON variable we just created value above, and uses the spath command to tell it to extract the information from down the foo3 path to a normal splunk multivalue field named foo4. The data is joined on the product_id field, which is common to both …. com source = http:docker sourcetype = docker. Use the tstats command to perform statistical queries on indexed fields in tsidx files. Now what I would like to do is displaying the http code followed by percentage of the total, something along the lines of: 200 95,9 %. Taking the previous into consideration may allow you to view this restriction as a safety feature. I am trying to get data from two different searches into the same panel, let me explain. However, I would love to get a total count of the Downloads operation be displayed inside the graph, like a Legend of sorts, which will show total downloads were e. How to calculate the total count of occurances of a timestamp ? naveenalagu. Our cloud platform empowers IT, DevOps and security teams to transform their organizations with data from any source and on any timescale. Hello! I'm trying to calculate the percentage that a field covers of the total events number, using a search. Is it possible to get my chart to look like this:. num_pages: Integer: Total number of pages available for this query. Thanks in advance for your help. advanced threat hunting, better email …. Compute the sums of all the fields, and put the sums in a summary event called "change_name". You could pipe another stats count command at the end of your original query like so: sourcetype="cargo_dc_shipping_log" OR sourcetype="cargo_dc_deliver_log" | stats count by X_REQUEST_ID | stats count. you could try to just use streamstats, | streamstats count as columncount. stats Description Calculates aggregate statistics, such as average, count, and sum, over the results set. To learn more about the fields command, see How the fields command works. First will grab the first log that Splunk finds, which should always the most recent event, in this scenario. Specify the latest time for the _time range of your search. category=AuditLogs to the search. yourInitialSearch | stats count by result, accountName | xyseries accountName,result,count. "Total" implies adding numbers, but the sample data is not numeric. This works by extracting the unique IP's defined by the field User_IP, and the eventcount at the top of the search returns a total of say "395". Difference between Network Traffic and Intrusion Detection data models. With the GROUPBY clause in the from command, the parameter is specified with the in the span function. Click Search in the App bar to start a new search. Hello, I am currently tracking a total count of VPN Users. This year’s Gartner Market Share: All Software Markets, Worldwide 2020 report places Splunk as No. I can create the lookup for one of the queries and correlate the matching field values in the second query but trying to do without lookup within. COUNT () counts the total number of rows in a table. Running these processes consumes SVCs. The percentage of chunk size threshold for flushing. count to a table using the. 1 Solution Solution gfuente Motivator 10-09-2013 08:07 AM Hello Linecount is the number of lines per event I guess you are looking for something like: sourcetype="my_source" filter_result="hello_world" | stats count as Total Regards View solution in original post 6 Karma Reply All forum topics Previous Topic Next Topic bbialek Path Finder. Our goal is to help you make the most of your Splunk investments. I need to combine both the queries and bring out the common values of the matching field in the result. Monitor Windows event log data with. See Quick Reference for SPL2 eval functions. | timechart count by host | addtotals row=true fieldname=total host. For example, the 95th percentile is. Splunk : How to sum the values of the fields that are a result of if condition. how to get the total sum based on specific field. HTTP Event Collector saves usage data about itself to log files. This is the third year in a row Splunk was named the leader in this segment. How To Use Splunk Table Command and Fields Command. The primary components in the Splunk architecture are the forwarder, the indexer, and the search head. By default, data is stored in the “main” index. where i want to display the order count in weekly range. I know I'm doing wrong but I cant get it exactly right Here's what I'm trying to do. Understand your costs by Splunk product. now i want to display in table for three months separtly. Assuming there is no congestion, the license_usage. Finally, get the total and compute percentages. This is the best way I have found to do it:. Splunk is the key to enterprise resilience. 40 vpn/ "Session disconnected" | rex field=_raw "Duration (? [^,])" | stats count by Username duration which returns results: so I would like to combine all users of the same name and list the total time they were connected. The monitoring system can sum all total time statistics over the minute to yield “12 seconds” of total time in the minute interval. The _time field is in UNIX time. Total): Analyst Month Total Count SLA (%) Working COVID-19 Response SplunkBase Developers Documentation. 📚 Splunk has contributed to the open source community for 18 years and counting. Pandas DataFrame groupby () method is used to split data of a particular dataset into groups based on some criteria. Partners Accelerate value with our powerful partner ecosystem. Splunk Administration; Splunk, Splunk>, Turn Data Into Doing, Data-to-Everything, and D2E are trademarks …. In this Part 2, we’ll be walking through: Various visualization types and the best ways to configure them for your use case, and. index=_internal source=license_usage. Get distinct results (filtered results) of Splunk Query based on a. The COUNT() function returns the number of rows that matches a specified criterion. You can use tokens to access and pass these values to create more interactive dashboards. 797 and out_time=2013-12-11T22:58:51. Here is my query so far which gives me the host names and the count however I cannot figure out how to get the sum of "count". File Delete archived, event code 23, can be helpful when looking for an adversary bent on destruction or covering their tracks. Count the total revenue made for each item sold at the shop over the last 7 days. When I try to go to that page, I received the following message. A source type determines how Splunk Enterprise formats the data during the indexing process. count: Integer: Count of total number of records. Configure CloudWatch Log inputs for the Splunk Add. the search is like this: host=linux01 sourcetype="linux:audit" key="linux01_change" NOT comm IN (vi) how can I create a timechart to show the number of total events (host=linux01 sourcetype="linux:audit") and the number of filtered events (host=linux01 sourcetype="linux:audit" key="linux01_change" N. 34 billion (2023) Total equity: US$−111 million (2023) Number of employees. Specify a list of fields to include in the search results. The total is calculated by using the values in the specified field for every event that has been processed, up to the current event. available fields is websitename , just need occurrences for that website for a month. Happy Splunking !! What’s your Reaction? +1 +1. Solved: How to find total byte count?. How get a total count based on the substring value?. The eventstats command is a dataset processing command. Use the keyboard shortcut Command-Shift-E (Mac OSX) or Control-Shift-E (Linux or Windows) to open the search preview. It repeats the source IP on each line, though. The return command is used to pass values up from a subsearch. Sums the transaction_time of related events (grouped by "DutyID" and the "StartTime" of each event) and names this as total transaction time. This is where a tool like Splunk comes in handy. The percentage of high priority searches delayed (16%) over the last 24 hours is very high and exceeded the red thresholds (10%) on this Splunk instance. Its functionality enhances the capabilities of Splunk, making it an indispensable tool for companies that rely on data-driven insights to drive success. You can also search against the specified data model or a dataset within that datamodel. likewise, | stats dc (IP) by ACCOUNT. the Totals seems right, but I can't get the individual events in the category field to count right per each. A transaction is any group of conceptually-related events that spans time, such as a series of events related to the online reservation of a hotel room by a single customer, or a set of events related to a firewall intrusion incident. Select the pie chart on your dashboard so that it's highlighted with the blue editing outline. Splunk Query Count of Count. However, since you seem to have duplicate records in your index (you should figure out why rather than using dedup). Solved: Adding Event Count to Table. Number of packets that the originator sent. How to count the total number of events in a splunk search result? 0 [splunk]: Obtain a count of hits in a query of regexes. index=_internal sourcetype=splunkd_* | stats count by sourcetype | eventstats sum (count) as total | eval sourcetype=sourcetype. The "top" command returns a count and percent value for each "referer_domain". In another case, if the total pod count is low, the alert can be how many pods should be alive. The below starter query gets me a total count of all the url entries. 11-01-2016 01:13 PM I can't seem to figure out a way to add a bottom row for a total count of results (records) to the end of the results without adding another column for a count …. Anyway stats count by index gives you the number of events for each index, if you want the number of sources, you have to use. Is there a way that I can get a similar count of all events for the past 30 days and put that data in a chart?. Compute the sums of all the fields. which has 17 results, or: 2) index=hubtracking sender_address="@gmail. This would give you a single result with a count field equal to the number of search results. What I expect would work, if you had the field extracted, would be |search vpc_id="vpc-06b". Is there a way for me to get it to look like this? As of right now my piechart look like this. Connection Count by ClientIP, with Total. Splunk hires the best innovators, disruptors and collaborators globally so we can help organizations become more secure and resilient. The results are grouped first by the fieldX. Click once on each type you want to monitor. In your search, if event don't have the searching field , null is appear. the reason this is inefficient is that you are asking the system to do a full scan of the index and aggregate the count. Create a new field that contains the result of a calculation. index=sales sourcetype=vendor_sales VendorID<4000 | chart count over VendorCountry by product_name limit=5 useother=f Results Example: NOTE: Splunk automatically calculates the top products by totaling each column and …. is an American software company based in San Francisco, California, that produces software for searching,. index=”splunk_test” sourcetype=”access_combined_wcookie”. How to append a total row for a column chart?. Be very careful about changing them though because they can have a big impact on performance! There are ways of doing joins without the "join" command. When you add inputs using the visual editor, their layout configuration is automatically generated in the dashboard definition. They provide access to the full set of Splunk Enterprise features within a defined limit of indexed data per day (volume-based license), or vCPU count (infrastructure license). I want to get counts of transactions where duration>1, duration<1 and the total count in the same table. 335 4 4 silver badges 9 9 bronze badges. For count of unique commands try: |stats dc (command) by user host. So the report looks something like,. I want to list out the stats which shows how many occurrences of CCYY then MM then DD. How to count the total number of events in a splunk search result? 0. Chart the number of transactions by duration. One solution is to use the append command and then re-group the results using stats. The order and count of results from appendcols must be exactly the same as that from the main search and other appendcols commands or they won't "line up". For example: index=sm auth | stats count by host, user. Event code 23: File Delete & event code 26: Save to ArchiveDirectory. Using sitimechart changes the columns of my inital tstats command, so I end up having no count to report on. Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type. Searches that use the implied search command. Integrate Microsoft Entra logs with Splunk. For each event, extracts the hour, minute, seconds, microseconds from the time_taken (which is now a string) and sets this to a "transaction_time" field. The Splunk stats command, calculates aggregate statistics over the set outcomes, such as average, count, and sum. 1) simple example, running the timechart first and using streamstats to create the cumulative total on the timechart output rows. In SQL, you often see examples that use "mytable" and "mycolumn". Here, percent field is the percentage field. To migrate your analytics rules to Microsoft Sentinel: Verify that you have a testing system in place for each rule you want to migrate. flow_name=getOrderDetails | rename content. In these examples, the "source" field is used as a proxy for "table". A Splunk Cloud Platform administrator can define what percentage of the total search capacity the scheduler is allowed to consume with scheduled search jobs. You can now use that count to create different dates in the _time field, using the eval command. Group events by multiple fields in Splunk. Calculates aggregate statistics over the results set, such as average, count, and sum. How to calculate the number of request that is hitting different …. splunk check if message contains certain string. total count for that service -> ts 5xx status for that service -> er_s availability = ( (ts - er_s) / ts) 100. Put corresponding information from a lookup dataset into your events. Usually to append final result of two searches using different method to arrive to the result (which can't be merged into one search). The eventstats and streamstats commands are variations on the stats command. Events that do not have a value in the field are not included in the results. So, your condition should not find an exact match of the source filename rather than it should be a pattern of ending with filename. I have posted this as there are a few similar Splunk answers knocking around but none seemed to work for me or quite gave me …. conf file setting named max_mem_usage_mb to limit how much memory the eventstats command can use to keep track of information. However, the format of the results table is a little different from what you requested. The stats command counts the Purchase Related and Other values in the activity field. When you create an input in the source editor, you must add it in two places in the dashboard definition. O n December 10, a critical remote code execution vulnerability impacting at least Apache Log4j 2 (versions 2. Step 7: Create table of only require Name Value pair i. The stats function options help the user in calculating the aggregation statistics with the results set, like the count, average, or sum. Most aggregate functions are used with numeric fields. ; The du command can be used to check the size of multiple files at once. Here are some advantages to use du command to check file size in Linux. Total monitored users will be aggregated across all uses by Third Party Providers and separate use of Enhancements made available to you. | rest /services/saved/searches | where is_scheduled=1. The other option would be to create a new 'datasets' definition with something like index=yourindex | table _time, _raw and save it with a meaningful report. index=vulnerabilities Fields in the index are: host, VulnID, VulnName. Requests bytes total: Count: code, method, protocol, service: The total size of requests in bytes received by a service. Hi, I need small help to build a query to find the difference between two date/time values of a log in table format. For a list of available calculations, refer to Calculation types. We are going to apply the below two calculations −. host count host_1 89 host_2 57 But I would like the query to also count records where the field exists but is empty, like this:. Splunk is a fantastic tool for individuals or organizations that are into Big data analysis. In the following run everywhere example. It is one of the core indexed metadata fields Splunk associates with data that it ingests. showdupes filter=all|latest would be very beneficial, especially when debugging input configs. Step 4: Scroll down until you see “Splunk Enterprise” and. How to get data from log and count event values. How to use span with stats? 02-01-2016 02:50 AM. To keep results that do not match, specify !=. 1 Answer Sorted by: 0 Put each query after the first in an append and set the Heading field as desired. You can retrieve events from your datasets using keywords, quoted phrases, wildcards, and field-value expressions. (which halfway does explicitly what timechart does under the hood for you) and see if that is what you want. Events are retrieved from one or more indexes during a search. When I first log in to Splunk, one of the first things I see is called "Data Summary" (under what to search) which displays the host, total number of events indexed, earliest event, and the latest event from each host. How to search for top 10 with stats list and count?. If the rule was created in PAN-OS 8. To configure inputs using Splunk Web, click Splunk Add-on for AWS in the navigation bar on Splunk Web home, then choose one of the following menu paths depending on the data type you want to collect: Create New Input > VPC Flow Logs > CloudWatch Logs. A "process class" is an aggregate of processes within a single class. KIran331's answer is correct, just use the rename command after the stats command runs. In step1 - It calculates the count based on the index,sourcetype (dest_ip,dest_port) and then total is calculated per index (dest_ip). The groupby () function split the data on any of the axes. What I've got is the count of the points based on unique identifier, but I need a Total Count of transaction (total # of unique IDs), count of Success and count of failures. This function takes a field and returns a count of the values in that field for each result. Send an email notification if more than five errors occur within one minute. The formula provided by @rubin_boer already including the count column. In my case, the events being searched are just basic events that have a field "time_taken" with nu. A filter icon appears next to each column title. How to create a sum of counts variable. The labelfield option to addcoltotals tells the command where to put the added label. So if the above doesn't work, try this: index = "SAMPLE INDEX" | stats count by "STATE". So I need this amount how often every material was found and then divide that by total amount of orders. To try this example on your own Splunk instance, you must download the sample data and follow the instructions to get the tutorial data into Splunk. Is there an easy way to add a count column for each row in Splunk. Interviewing for a BDR job at Gigamon, who are building out their UK office. The courses included in a certification-specific learning path provide the foundation you need to practice the right material and prepare for the exam. If I try to use |stats values (city) as city, count by State. The streamstats command is used to create the count field. I would like to put the count of infected assets in relation to the total number of known assets in each department. For example, Well do think about Splunk Answers community when you run into issues. You set the limit to count=25000. However, if you were interested in deviations from the "norm" to …. Additionally, you can use the relative_time () and now () time functions as arguments. Show Total count on Stacked bar/column chart. Goto Select Save As than on Alert. You can use this function with the eval and where commands, in the WHERE clause of the from command, and as part of evaluation expressions with other commands. sourcetype=file1 [subsearch ->returns Orders] | here I need to select the total amount of orders like:. Cloud revenue was $944 million, up 70% year-over-year. To improve the speed of searches, Splunk software truncates search results by default. The appendcols command can't be used before a transforming command because it must append to an existing set of table-formatted results, such as those generated by a transforming command. This example takes the incoming result set and calculates the sum of the bytes field and groups the sums by the values in the host field. app: dest_port: count: total_count: ssl: 10001 10020 13000 13006 22790 26107 443 44345 4: 21 2 3 2 8 19 22 55 Splunk, Splunk>, Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or …. I have one panel that searches a list of hosts for data and displays the indexes and source types. top command, can be used to display the most common values of a field, along with their count and percentage. By using the STATS search command, you can find a high-level calculation of what’s happening to our machines. Splunk Transaction Command: What It Is and How to Use It. Total revenues grew 40% to $930 million year-over-year. Use this comprehensive splunk cheat sheet to easily lookup any command you need. I was given a log from splunk and I want to get a particular data in the middle of the string and use it for the dashboard stats count by extracted_field. You can click the Open Search icon next to the indexing rate to view the query behind the …. It can be done, for example you query is stats count (xxx) as Total by yyy |eval yyy=yyy. Let's say I have a base search query that contains the field 'myField'. csv |join type=inner [ |inputlookup KV_system |where isnotnull (stuff) |eval stuff=split (stuff, "|delim. Follow answered Oct 18, 2018 at 19:47. The login count looks correct, but the percentages all come back as 1 and Total is showing the login count for that UserDisplayName not the full amount …. Additionally, the transaction command adds two fields …. You can also know about : How To Reset All Input's Tokens With A one-click In Splunk Dashboard. The first clause uses the count () function to count the Web access events that contain the method field value GET. Hi, I need a top count of the total number of events by sourcetype to be written in tstats(or something as fast) with timechart put into a summary index, and then report on that SI. How to show raw data instead of formatted data?. So (over the chosen time period) there have been 6 total on Sundays, 550 on Mondays, y on Tuesdays etc. Is there a better to get list of index? Since its like a table created in splunk. NET provides the Meters mechanism for reporting diagnostic metrics. To make things clear - in Splunk there is no "merging" of cells. Solved: how to display percentage of total - Splunk … Schools Details: Web1 Solution Solution Ayn Legend 01-29-2014 04:48 AM Using eventstats might be better: index=prd_access sourcetype="access:web:iis:project" eventstats count as totalcount chart count,first (totalcount) as totalcount by httpstatus eval … splunk total count › Verified 1 …. If the specified field name already exists then the label will go in that field, but if the value of the labelfield option is new then a new column will be created. In order to monitor performance counters: Go to Start. A cross-walk of CAR, Sigma, Elastic Detection, and Splunk Security Content rules in terms of their coverage of ATT&CK Techniques and Sub-techniques. To make it clearly, you can keep the result into a collection: ClearCollect (varchart,AddColumns (GroupBy (MyCollection,"NewFieldForStage","Stages"),"Total",CountRows (Stages))). Customer Stories See why organizations around the world trust Splunk. The timechart command generates a table of summary statistics. This is my search : [some search] | fieldsummary | rename distinct_count as unique_values | eval percentage= (count / [total]) * 100 | table field count unique_values percentage | fi. data: Array: Array of objects in JSON format. What is the best way to get list of index in my splunk. |stats list (domain) as Domain, list (count) as count, sum (count) as total by src_ip. // All users will have this line recorded initializing user blah blah // success user will have this line recorded init succeeded // fail users will have a few variations init failed A init failed B How. This will display the total in the field name. Hope you enjoyed this blog “ 10 most used and familiar Splunk queries “, see you on the next one. Splunk conditional distinct count. Mind that setting the schedule and time window for your acceleration should be according to your need. We can find the total count of each command in the splunk queries by the following query. Currently i'm running this command for 2 days, it takes quite a lot of time. When you aggregate data, sometimes you want to filter based on the results of the aggregate functions. Theeval eexpression uses the match() function to compare the from_domain to a regular expression that looks for the different suffixes in the domain. Splunk Search: Split the total count in the rows per month and sh Options. (T1) on _time | project _time, category, count_i, count_total: Join. This query will list the total number of hosts reporting to the indexer for any specified time range. Count unique values per field. For example, a test with 2 steps that is run every 5 minutes (12 times per hour) from 3 locations per test will count as 72 Browser Test Runs per hour. Alert action Send an email notification. Community; Community; Splunk, Splunk>, Turn Data Into Doing, Data-to-Everything,. the where command may be overkill here, since you can simply do: 1) index=hubtracking sender_address="*@gmail. The company reported a quarterly loss that ca. I have the following query which gives me a Total count of 2 searches but after evaluating, I am not getting the Total count. 11-01-2016 01:13 PM I can't seem to figure out a way to add a bottom row for a total count of results (records) to the end of the results without adding another column for a count and then totaling that column. How to create a search to get count total with per. For example, I have IPs that are into the hundreds for allows, yet when I run the search they're reduced to one pass/fail. What exactly do you want to do? – RichG Oct 12, 2022 at 17:24 Sorry, I meant the count for the logs, Like how many log events happened? Each row is an event, In the screenshot above there are 3 events. I have a table like below: Servername Category Status Server_1 C_1 Completed Server_2 C_2 Completed Server_3 C_2 Completed Server_4 C_3 …. Test your knowledge with sample questions in the Splunk Certification Exams Study Guide. It took only three seconds to run this search — a four-second difference!. sourcetype="answers-1372957739" | stats list (head_key_value) AS head_key_value by login_id. So let’s look at a simple search command that sums up the number of bytes per IP address from some web logs. Splunk REST API is EASY to use. The status field forms the X-axis, and the host and count fields form the data series. Solved: How to display a total count of results from an IP. any other way to get the same information from a "slave" splunk? thanks. Sum of numeric values in all events in given time period. The following two searches returns the sources series with a total count of events greater than 100. There are several tools you can use to do this, from command-line tools to more advanced analytics tools capable of searching specific fields, calculating summaries, generating charts, and much more. The first part of your question is probably: sourcetype=mynetworkdata | stats sum (bytes) as bytes by src_ip_addr | sort - bytes | head 5. Search the access logs, and return the total number of hits from the top 100 values of "referer_domain" Search the access logs, and return the total number of hits from the top 100 values of "referer_domain". Join datasets on fields that have the same name. I would like to make a total count (total_count) on field C divided by month. Appenders place log messages in their final destinations. Instantly check system status for Splunk Infrastructure Monitoring, Splunk On-Call, and Splunk Synthetic Monitoring, all in one place. which retains the format of the count by domain per source IP and only shows the top 10. This example shows two different searches to generate the calculations. com has a total count of 34 POSTs, and so on, with the Total being the aggregate number of POSTs from all websites?. Cloud Migration Assessment App for Splunk (SCMA). If you want to filter recorded queries by data source, select a data source from the filter by data source drop down menu. Count of each field value (I only get total counts ">Solved: Count of each field value (I only get total counts. For the list of mathematical operators you can use with these functions, see the "Operators" section in eval command usage.