https://community.splunk.com/t5/Getting-Data-In/Use-the-same-search-for-mutiple-fields-and-events/m-p/312706#M58604 <P>Thanks.</P> <P>I get the account no and two counters as counter and bothcounters. But for every account no, it is only bothcounters having value as 1 while counter is always 0 which is not the case with respect to events as they got the some of the AcctNo has the appId as New1 and other's don't.</P> Fri, 01 Sep 2017 20:43:30 GMT kdulhan 2017-09-01T20:43:30Z https://community.splunk.com/t5/Getting-Data-In/Use-the-same-search-for-mutiple-fields-and-events/m-p/312701#M58599 <P>In order to search for the error records, I use :</P> <PRE><CODE>ns=app1 Service='trigger1' Id!='temp-100' | Search ErrorResponse </CODE></PRE> <P>Here I get an event like:</P> <PRE><CODE>timestamp ns=app1 [ErrorResponse] Service='trigger1' id=105 ActNo=1234 </CODE></PRE> <P>Now I have to fetch this ActNo field and search with only ActNo=1234. It will list many events and in those I have to look for a field appId = 'New1'. If New1, I have to add it to a counter1 else counter2.</P> <P>Thank you!</P> Fri, 01 Sep 2017 16:51:17 GMT https://community.splunk.com/t5/Getting-Data-In/Use-the-same-search-for-mutiple-fields-and-events/m-p/312701#M58599 kdulhan 2017-09-01T16:51:17Z https://community.splunk.com/t5/Getting-Data-In/Use-the-same-search-for-mutiple-fields-and-events/m-p/312702#M58600 <P>If I've read you right, it would be something like this...</P> <PRE><CODE> timestamp ns=app1 [ErrorResponse] Service='trigger1' id=105 [ns=app1 Service='trigger1' Id!='temp-100' | Search ErrorResponse | table ActNo] | stats count(eval(appId="New1")) as counter count as bothcounters by ActNo | eval counter2 = bothcounters-counter1 </CODE></PRE> <P>This part ...</P> <PRE><CODE> [ns=app1 Service='trigger1' Id!='temp-100' | Search ErrorResponse | table ActNo] </CODE></PRE> <P>...returns a list of ActNo values in this format...</P> <PRE><CODE> ( ( ActNo="firstvalue" ) OR ( ActNo="secondvalue" ) OR ... OR ( ActNo="lastvalue" ) ) </CODE></PRE> <P>then this part </P> <PRE><CODE> timestamp ns=app1 [ErrorResponse] Service='trigger1' id=105 ( ( Actno=... ) </CODE></PRE> <P>... brings back the records, and this part counts them up ...</P> <PRE><CODE> | stats count(eval(appId="New1")) as counter count as bothcounters by ActNo | eval counter2 = bothcounters-counter1 </CODE></PRE> Fri, 01 Sep 2017 17:54:12 GMT https://community.splunk.com/t5/Getting-Data-In/Use-the-same-search-for-mutiple-fields-and-events/m-p/312702#M58600 DalJeanis 2017-09-01T17:54:12Z https://community.splunk.com/t5/Getting-Data-In/Use-the-same-search-for-mutiple-fields-and-events/m-p/312703#M58601 <P>You could try something like this</P> <PRE><CODE>index=whatever [ search ns=app1 Service=trigger1 Id!="temp-100" ErrorResponse | fields ActNo ] | eval counter1 = if(appId=="New1",1,0) | eval counter2 = if(appId=="New1",0,1) | stats sum(counter1) as counter1 sum(counter2) as counter2 by ActNo </CODE></PRE> <P>A few tips:</P> <P>A search like this <CODE>ns=app1 Service=trigger1 Id!="temp-100" | Search ErrorResponse</CODE> should always be rewritten as<BR /> <CODE>ns=app1 Service=trigger1 Id!="temp-100" ErrorResponse</CODE>. Combine as much as possible into a single search.<BR /> Splunk uses double-quotes for strings, but even that is not required in the search command if the string has no spaces or special characters.<BR /> The search within brackets is called a subsearch. The list of ActNo's from the subsearch will be inserted into the outer search.<BR /> Here is more information about <A href="https://docs.splunk.com/Documentation/SplunkCloud/6.6.1/SearchTutorial/Useasubsearch">subsearches</A>.</P> Fri, 01 Sep 2017 17:55:23 GMT https://community.splunk.com/t5/Getting-Data-In/Use-the-same-search-for-mutiple-fields-and-events/m-p/312703#M58601 lguinn2 2017-09-01T17:55:23Z https://community.splunk.com/t5/Getting-Data-In/Use-the-same-search-for-mutiple-fields-and-events/m-p/312704#M58602 <P>oh, nice answer by @Daleanis as well. I could re-write my search as:</P> <PRE><CODE> index=whatever [ search ns=app1 Service=trigger1 Id!="temp-100" ErrorResponse | fields ActNo ] | stats sum(eval(appId=="New1")) as counter1 sum(eval(appId!="New1")) as counter2 by ActNo </CODE></PRE> Fri, 01 Sep 2017 17:57:55 GMT https://community.splunk.com/t5/Getting-Data-In/Use-the-same-search-for-mutiple-fields-and-events/m-p/312704#M58602 lguinn2 2017-09-01T17:57:55Z https://community.splunk.com/t5/Getting-Data-In/Use-the-same-search-for-mutiple-fields-and-events/m-p/312705#M58603 <P>index=l2_idx ns=app1 Service='trigger1' Id!='temp-100 ErrorResponse | fields ActNo | stats sum(eval(appId=="New1")) as counter1 sum(eval(appId!=="New1")) as counter2 by ActNo</P> <P>Getting error as:<BR /> Error in 'stats' command: The eval expression for dynamic field 'eval(appId!=="New1")' is invalid. Error='The expression is malformed. An unexpected character is reached at '="New1"'.</P> Fri, 01 Sep 2017 20:36:53 GMT https://community.splunk.com/t5/Getting-Data-In/Use-the-same-search-for-mutiple-fields-and-events/m-p/312705#M58603 kdulhan 2017-09-01T20:36:53Z https://community.splunk.com/t5/Getting-Data-In/Use-the-same-search-for-mutiple-fields-and-events/m-p/312706#M58604 <P>Thanks.</P> <P>I get the account no and two counters as counter and bothcounters. But for every account no, it is only bothcounters having value as 1 while counter is always 0 which is not the case with respect to events as they got the some of the AcctNo has the appId as New1 and other's don't.</P> Fri, 01 Sep 2017 20:43:30 GMT https://community.splunk.com/t5/Getting-Data-In/Use-the-same-search-for-mutiple-fields-and-events/m-p/312706#M58604 kdulhan 2017-09-01T20:43:30Z https://community.splunk.com/t5/Getting-Data-In/Use-the-same-search-for-mutiple-fields-and-events/m-p/312707#M58605 <P>appId in the event is displayed as appId=='New1'</P> Fri, 01 Sep 2017 20:50:55 GMT https://community.splunk.com/t5/Getting-Data-In/Use-the-same-search-for-mutiple-fields-and-events/m-p/312707#M58605 kdulhan 2017-09-01T20:50:55Z https://community.splunk.com/t5/Getting-Data-In/Use-the-same-search-for-mutiple-fields-and-events/m-p/312708#M58606 <P>appId in the event is displayed as appId=='New1'</P> Fri, 01 Sep 2017 20:51:16 GMT https://community.splunk.com/t5/Getting-Data-In/Use-the-same-search-for-mutiple-fields-and-events/m-p/312708#M58606 kdulhan 2017-09-01T20:51:16Z https://community.splunk.com/t5/Getting-Data-In/Use-the-same-search-for-mutiple-fields-and-events/m-p/312709#M58607 <P>Sorry it is displayed in event with single quotes as appId='New1'</P> Fri, 01 Sep 2017 20:51:50 GMT https://community.splunk.com/t5/Getting-Data-In/Use-the-same-search-for-mutiple-fields-and-events/m-p/312709#M58607 kdulhan 2017-09-01T20:51:50Z https://community.splunk.com/t5/Getting-Data-In/Use-the-same-search-for-mutiple-fields-and-events/m-p/312710#M58608 <P>AppId in the events is displayed with single quotes as appId='New1'</P> Fri, 01 Sep 2017 20:52:19 GMT https://community.splunk.com/t5/Getting-Data-In/Use-the-same-search-for-mutiple-fields-and-events/m-p/312710#M58608 kdulhan 2017-09-01T20:52:19Z https://community.splunk.com/t5/Getting-Data-In/Use-the-same-search-for-mutiple-fields-and-events/m-p/312711#M58609 <P>Can I have eval and stats count after ActNo as<BR /> timestamp ns=app1 [ErrorResponse] Service='trigger1' id=105 [ns=app1 Service='trigger1' Id!='temp-100' | Search ErrorResponse | table ActNo | eval | stats count as "Count1"]</P> <P>Also I want to check if there are records with that ActNo in the outer search or not. If not, I want to write that ActNo.</P> <P>Thank you!</P> Mon, 04 Sep 2017 20:33:13 GMT https://community.splunk.com/t5/Getting-Data-In/Use-the-same-search-for-mutiple-fields-and-events/m-p/312711#M58609 kdulhan 2017-09-04T20:33:13Z