topic Re: How to filter streamstats results for two equal variables? in Splunk Enterprise

How to filter streamstats results for two equal variables?

like2splunk — Tue, 29 Sep 2020 13:57:25 GMT

My search code is as follows:

index="logs" host=tcr2
"Transitioned to Error State" OR "BeamResult Received" OR "scanning controller went to error" OR "session is closed" OR "BeamContext:" 
| dedup description consecutive=true
| reverse
| streamstats count(eval(searchmatch("BeamContext:"))) AS SessionID
| stats count(eval(searchmatch("Transitioned to Error State"))) AS error_count count(eval(searchmatch("scanning controller went to error"))) AS qualify_count count(eval(searchmatch("patientId"))) AS patient_count list(_raw) AS _raw BY SessionID
| search error_count>0 qualify_count>0 patient_count>0

Notice the last line. What I want is to be able to search for error_count=qualify_count as well. But when I do this, I get zero results even though I know for sure that there are such scenarios. I only want the results of streamstats for a given "SessionID" in which the number for "error_count" is equal to the number for "qualify_count". Any ideas?

Re: How to filter streamstats results for two equal variables?

somesoni2 — Thu, 04 May 2017 21:24:07 GMT

Since you're dealing in numbers, use the where command instead of search.

Re: How to filter streamstats results for two equal variables?

Drahgkar — Tue, 29 Sep 2020 13:57:50 GMT

If you're just trying to find where error_count is equal to qualify_count and patient_count is greater than 0, this snippet that incorporates somesoni2's comment above should work:

| where error_count=qualify_count AND patient_count>0

Re: How to filter streamstats results for two equal variables?

woodcock — Fri, 12 May 2017 05:52:54 GMT

As others have indicated, the combined solution should be replacing your last line with something like this:

 | where (error_count>0 AND qualify_count>0 AND patient_count>0) OR (error_count=qualify_count)