topic Re: Please help me make a query that counts by comparing values in Splunk Search

How to make a query that counts by comparing values?

hyewonkim — Thu, 15 Jun 2023 23:05:07 GMT

I'm new to splunk and I'm asking for help. 
I will give an example as below.
if event_id or orig_event are the same, count them
I want to lookup event_id for case not 3. 
Therefore, in this case, the count of event_id 7 is 2, not 3, so 7 should be the lookup.
could you possibly help me?

[data table]

index	type	event_id	orig_event_id
A	a	1
A	b		1
B	c		1
A	a	3
A	b		3
B	c	3
A	a		5
A	b	5
B	c		5
A	a		7
A	b	7

[result]

A	a		7
A	b	7

Re: Please help me make a query that counts by comparing values

ITWhisperer — Thu, 15 Jun 2023 11:36:52 GMT

Not sure if this is what you are after as your description does quite tally with your example

| stats count(eval(event_id == orig_event_id)) as count by index type

Re: Please help me make a query that counts by comparing values

hyewonkim — Thu, 15 Jun 2023 12:59:24 GMT

There were some mistakes in the content. It has only one value among orig_event_id and event_id.

Re: Please help me make a query that counts by comparing values

ITWhisperer — Thu, 15 Jun 2023 13:06:16 GMT

Are you just after the last event_id and orig_event_id by index and type?

| stats last(event_id) as event_id last(orig_event_id) as orig_event_id by index type