topic Re: How do I compare field results to counts? in Splunk Search

How do I compare field results to counts?

bcarnot — Wed, 12 Sep 2018 05:11:38 GMT

Hi
I have three communication types: Start, Update, Restore.

Each event can have multiple communication types to multiple prems.

I am trying to declare success if the number of "restore" messages sent is equal or greater than the number of "start" messages.

Event 486 would be a success and 393, 404 and 406 would fail.

EVENT_ID type prem
393 restore 434
393 start 474
404 restore 21
406 start 10
406 restore 19
486 restore 1
486 start 1

<<| transaction source, EVENT_ID 
| rex "^(?[^,]+),(?[^,]+),(?<code>[^,]+),(?[^,]+),(?[^,\r\n]*)"
| rex field=source "(?[^-]*)_18"  
| rex "premisecount:\s(?\d+)"
|  rex field=source "(?[^_]*).csv"
| stats count sum(premisecount) by EVENT_ID,type | rename "sum(premisecount)" as prem ]
|table ,EVENT_ID, type, prem>>
</code>

Re: How do I compare field results to counts?

bcarnot — Wed, 12 Sep 2018 05:37:00 GMT

sorry 406 would be a success

Re: How do I compare field results to counts?

SathyaNarayanan — Tue, 29 Sep 2020 21:14:39 GMT

You need to create a eval function for this

Re: How do I compare field results to counts?

bcarnot — Wed, 12 Sep 2018 15:28:19 GMT

@SathyaNarayanan thank you for the response. The recommendation returns all zeros. I think this is because the count is by prem, not type. How can one tie the two together? The recommendation is exactly what is trying to be accomplished to count the successes and failures.
Thank you