topic Simple query to take results and list them as yes/no in Splunk Search https://community.splunk.com/t5/Splunk-Search/Simple-query-to-take-results-and-list-them-as-yes-no/m-p/535427#M151320 <P>Hello.&nbsp;</P><P>I have a large data set that I'm working through that gives either a 5 digit number or a "-" if there is no value. I have my search results but I can't seem to get them into the format I'm looking for.&nbsp;</P><P>I'd like to get the results into a format showing</P><P>Room 1&nbsp;</P><P>Set (total)</P><P>Unset (total)</P><P>And the same for Room 2, 3, 4</P><P>&nbsp;</P><P>Query</P><P>Index=acme dvc_room="*" station="*"&nbsp;</P><P>Output&nbsp;</P><P>index=acme dvc_room=4 station="-"</P><P>index=acme dvc_room=3&nbsp;station="123456"</P><P>index=bluecoat dvc_room=2&nbsp;station="-"</P><P>index=bluecoat dvc_room=1&nbsp;station="56132"</P><P>index=bluecoat dvc_room=3&nbsp;station="-"</P><P>index=bluecoat dvc_room=2&nbsp;station="56132"</P><P>index=bluecoat dvc_room=4 station="56132"</P><P>&nbsp;</P><P>Any help would be appreciated.&nbsp;</P> Tue, 12 Jan 2021 06:08:05 GMT mflippin 2021-01-12T06:08:05Z Simple query to take results and list them as yes/no https://community.splunk.com/t5/Splunk-Search/Simple-query-to-take-results-and-list-them-as-yes-no/m-p/535427#M151320 <P>Hello.&nbsp;</P><P>I have a large data set that I'm working through that gives either a 5 digit number or a "-" if there is no value. I have my search results but I can't seem to get them into the format I'm looking for.&nbsp;</P><P>I'd like to get the results into a format showing</P><P>Room 1&nbsp;</P><P>Set (total)</P><P>Unset (total)</P><P>And the same for Room 2, 3, 4</P><P>&nbsp;</P><P>Query</P><P>Index=acme dvc_room="*" station="*"&nbsp;</P><P>Output&nbsp;</P><P>index=acme dvc_room=4 station="-"</P><P>index=acme dvc_room=3&nbsp;station="123456"</P><P>index=bluecoat dvc_room=2&nbsp;station="-"</P><P>index=bluecoat dvc_room=1&nbsp;station="56132"</P><P>index=bluecoat dvc_room=3&nbsp;station="-"</P><P>index=bluecoat dvc_room=2&nbsp;station="56132"</P><P>index=bluecoat dvc_room=4 station="56132"</P><P>&nbsp;</P><P>Any help would be appreciated.&nbsp;</P> Tue, 12 Jan 2021 06:08:05 GMT https://community.splunk.com/t5/Splunk-Search/Simple-query-to-take-results-and-list-them-as-yes-no/m-p/535427#M151320 mflippin 2021-01-12T06:08:05Z Re: Simple query to take results and list them as yes/no https://community.splunk.com/t5/Splunk-Search/Simple-query-to-take-results-and-list-them-as-yes-no/m-p/535429#M151322 <P>You say your query is&nbsp;</P><LI-CODE lang="markup">Index=acme dvc_room="*" station="*" </LI-CODE><P>but you list output with index=bluecoat</P><P>Maybe this is what you are after</P><LI-CODE lang="markup">your search... | stats sum(eval(if(station="-",0,1))) as Set sum(eval(if(station="-",1,0))) as Unset by dvc_room</LI-CODE><P>Assuming that when you talk about set/unset, you mean that unset is station="-" and set if not.</P><P>&nbsp;</P> Tue, 12 Jan 2021 06:21:51 GMT https://community.splunk.com/t5/Splunk-Search/Simple-query-to-take-results-and-list-them-as-yes-no/m-p/535429#M151322 bowesmana 2021-01-12T06:21:51Z