topic Re: Query to display count boolean fields as seperate columns in Splunk Search https://community.splunk.com/t5/Splunk-Search/Query-to-display-count-boolean-fields-as-seperate-columns/m-p/56862#M13917 <P>this was the typo error from me</P> Sat, 07 Sep 2013 02:00:18 GMT kml_uvce 2013-09-07T02:00:18Z Query to display count boolean fields as seperate columns https://community.splunk.com/t5/Splunk-Search/Query-to-display-count-boolean-fields-as-seperate-columns/m-p/56859#M13914 <P>Hello,<BR /> I'm trying to create a splunk query that will enable me to display the count of the TRUE and FALSE values of an operation. Can anybody help with this?</P> <P>The output I'm expecting to display is something like the following.</P> <PRE><CODE>Time Operation Success=True Success=False 10AM ABC 20 0 11AM ABC 30 5 12AM ABC 30 0 </CODE></PRE> <P>Thank You!</P> Fri, 06 Sep 2013 15:16:34 GMT https://community.splunk.com/t5/Splunk-Search/Query-to-display-count-boolean-fields-as-seperate-columns/m-p/56859#M13914 dreamygguy 2013-09-06T15:16:34Z Re: Query to display count boolean fields as seperate columns https://community.splunk.com/t5/Splunk-Search/Query-to-display-count-boolean-fields-as-seperate-columns/m-p/56860#M13915 <PRE><CODE>your query|chart count(eval(&lt;field&gt;=TRUE)) AS Success=True, count(eval(&lt;field&gt;=FALSE)) AS Success=False by Time Operation </CODE></PRE> Fri, 06 Sep 2013 15:54:57 GMT https://community.splunk.com/t5/Splunk-Search/Query-to-display-count-boolean-fields-as-seperate-columns/m-p/56860#M13915 kml_uvce 2013-09-06T15:54:57Z Re: Query to display count boolean fields as seperate columns https://community.splunk.com/t5/Splunk-Search/Query-to-display-count-boolean-fields-as-seperate-columns/m-p/56861#M13916 <P>Thank you for your answer! The only change I made is for the following commands - </P> <P>count(eval(<FIELD>=TRUE)), count(eval(<FIELD>=FALSE)) </FIELD></FIELD></P> <P>the value should be inside quotes.</P> <P>count(eval(<FIELD>="TRUE")) , count(eval(<FIELD>="FALSE"))</FIELD></FIELD></P> Fri, 06 Sep 2013 20:47:54 GMT https://community.splunk.com/t5/Splunk-Search/Query-to-display-count-boolean-fields-as-seperate-columns/m-p/56861#M13916 dreamygguy 2013-09-06T20:47:54Z Re: Query to display count boolean fields as seperate columns https://community.splunk.com/t5/Splunk-Search/Query-to-display-count-boolean-fields-as-seperate-columns/m-p/56862#M13917 <P>this was the typo error from me</P> Sat, 07 Sep 2013 02:00:18 GMT https://community.splunk.com/t5/Splunk-Search/Query-to-display-count-boolean-fields-as-seperate-columns/m-p/56862#M13917 kml_uvce 2013-09-07T02:00:18Z Re: Query to display count boolean fields as seperate columns https://community.splunk.com/t5/Splunk-Search/Query-to-display-count-boolean-fields-as-seperate-columns/m-p/56863#M13918 <P>This syntax doesn't work for me. Is there something missing? I'm v6.2.</P> <P><CODE>index= |chart count(eval(="TRUE")) AS Success=True, count(eval(="FALSE")) AS Success=False by hostname</CODE></P> <P>Error in 'chart' command: The specifier 'AS' is invalid. It must be in form (). For example: max(size).</P> <P>The search job has failed due to an error. You may be able view the job in the Job Inspector.</P> Thu, 02 Apr 2015 19:55:03 GMT https://community.splunk.com/t5/Splunk-Search/Query-to-display-count-boolean-fields-as-seperate-columns/m-p/56863#M13918 proletariat99 2015-04-02T19:55:03Z