topic Re: Cab a field be used in stats command that's declared in eval command? in Splunk Search

Cab a field be used in stats command that's declared in eval command?

gokikrishnan — Mon, 24 Dec 2018 05:32:14 GMT

How do i write a query to get the above result? I have tried the following things.
1) I have tried to group by TestField in a table
2) Tried converting the C to string again as it can be used in stats command again.

Request you to assist me with regard to the same.

Re: Cab a field be used in stats command that's declared in eval command?

renjith_nair — Mon, 24 Dec 2018 07:53:51 GMT

@gokikrishnan, trying to understand your requirement in bit more detail

The first result looks like A+B and not A-B.
Do you want to convert the first result to second result or do you have already some events which we can look at?
Please provide some sample events and the expected output

Re: Cab a field be used in stats command that's declared in eval command?

gokikrishnan — Mon, 24 Dec 2018 09:16:32 GMT

My Bad, Gave the requirement incorrectly. Sorry.
Here A is Total, I have found B. To find C, I do C=A-B, As of now I am able to get the result as follows:
TF C B A
TF1 1 2 3
TF2 4 5 9
Actually need the query to be displayed as follows:
TF C B
T1 1 2
T2 4 5

Re: Cab a field be used in stats command that's declared in eval command?

renjith_nair — Mon, 24 Dec 2018 10:18:19 GMT

@gokikrishnan,
Not sure whether understand you correctly, but based on your inputs, this should give you the expected result

Your current search to get TF,C,B,A|replace TF* with T* in TF|table TF,C,B

Re: Cab a field be used in stats command that's declared in eval command?

gokikrishnan — Wed, 26 Dec 2018 06:17:28 GMT

Let me explain again clearly,

TFN=Test Field Name, TFE1=TestFieldEntry, TFE2=TestFieldEntry,
C=Field found out from Eval, A=Count of values that is found with based on available fields, B=Count of values that is found with based on available fields. TF has two types of entries. They are TF1 and TF2 respectively.

C is calculated like C=A-B. Used the below query.

I need to get the values of C and B using the by clause grouped by TFN to get the result in the following manner.
TFN C B
TFE1 1 2
TFE2 4 5

Please tell me whether you understand this explanation.

Re: Cab a field be used in stats command that's declared in eval command?

gokikrishnan — Wed, 26 Dec 2018 07:26:48 GMT

I got answer for the same. Thanks Renjith and All.

Re: Cab a field be used in stats command that's declared in eval command?

DalJeanis — Mon, 31 Dec 2018 19:52:25 GMT

@gokikrishnan - We converted the apparently correct comment to an answer. Please accept the answer if that is what got you your solution. If not, then please post your own solution, so that others may benefit, and accept your own answer. Thanks!

Re: Cab a field be used in stats command that's declared in eval command?

woodcock — Tue, 01 Jan 2019 21:34:31 GMT

Your descriptions (I have read all of them) make no sense at all. Show is some sample events, show us a mockup of the desired final output and THEN try to explain the steps required to get from data to final output.