topic Re: eventstats with conditions in Splunk Search

eventstats with conditions

LearningGuy — Wed, 12 Jun 2024 02:35:31 GMT

Hello,

Is it possible to use eventstats with conditions?
For example:
I only want to apply eventstats only if field name contains "student-1"

| eventstats values(if(match(name,"student-1"), name, null())) as student by grade

Please suggest.

Thanks

Re: eventstats with conditions

bowesmana — Wed, 12 Jun 2024 04:34:27 GMT

The values() statement requires 'eval', i.e.

| eventstats values(eval(if(match(name,"student-1"), name, null()))) as student by grade

Re: eventstats with conditions

LearningGuy — Thu, 13 Jun 2024 11:55:28 GMT

Hello @bowesmana

The eval match condition worked, but it didn't give me the result I expected.

Is it possible to use "eventstat match condition" to group the student based on partialname?

Do you think moving to evenstat makes the search more efficient?
I appreciate your help. Thank you so much

without "eventstat match condition" - it worked

| makeresults format=csv data="grade,name A,student-1-a A,student-1-b A,student-1-c A,student-2-a A,student-2-b A,student-2-c" | eval partialname=substr(name,0,9) | eventstats values(name) as student by partialname

with "eventstat match condition" - it didn't work

Data:

class	name
class-1	student-1-a
class-1	student-1-b
class-1	student-1-c
class-1	student-2-a
class-1	student-2-b
class-1	student-2-c

Expected result

grade	name	student
A	student-1-a	student-1-a
		student-1-b
		student-1-c
A	student-1-b	student-1-a
		student-1-b
		student-1-c
A	student-1-c	student-1-a
		student-1-b
		student-1-c
A	student-2-a	student-2-a
		student-2-b
		student-2-c
A	student-2-b	student-2-a
		student-2-b
		student-2-c
A	student-2-c	student-2-a
		student-2-b
		student-2-c

Currently here's the result with eventstats match condition

grade	name	partialname	student
A	student-1-a	student-1	student-1-a
			student-1-b
			student-1-c
			student-2-a
			student-2-b
			student-2-c
A	student-1-b	student-1	student-1-a
			student-1-b
			student-1-c
			student-2-a
			student-2-b
			student-2-c
A	student-1-c	student-1	student-1-a
			student-1-b
			student-1-c
			student-2-a
			student-2-b
			student-2-c
A	student-2-a	student-2	student-1-a
			student-1-b
			student-1-c
			student-2-a
			student-2-b
			student-2-c
A	student-2-b	student-2	student-1-a
			student-1-b
			student-1-c
			student-2-a
			student-2-b
			student-2-c
A	student-2-c	student-2	student-1-a
			student-1-b
			student-1-c
			student-2-a
			student-2-b
			student-2-c

Re: eventstats with conditions

bowesmana — Fri, 14 Jun 2024 01:46:07 GMT

I'm a little unclear on your requirement, but your working eventstats example that gives you the "Expected result" of

grade	name	student
A	student-1-a	student-1-a
		student-1-b
		student-1-c
A	student-1-b	student-1-a
		student-1-b
		student-1-c

...

so you want all values of student-X-Y to be included for each combination of student-X-Y?

In that case, you don't need the match statement, so what is the issue?

Depending on the data volume, eventstats can be slower, so you could use this variant

... | eval partialname=substr(name,0,9) | stats values(name) as student by grade partialname | eval name=student | mvexpand name

that uses stats, which will be more efficient than eventstats, but then mvexpand will be slower, but you cna measure the performance if volume is an issue.

Re: eventstats with conditions

LearningGuy — Fri, 14 Jun 2024 12:07:13 GMT

Hi @bowesmana

so you want all values of student-X-Y to be included for each combination of student-X-Y?
>> yes, like it is in the expected result

In that case, you don't need the match statement, so what is the issue?
>> I figured out after I posted this that I don't need the match statement, but I am curious if it also can be done using match statement. So, in this case it won't work using match statement, correct?

Thanks for your help.

Re: eventstats with conditions

bowesmana — Mon, 17 Jun 2024 00:58:46 GMT

Correct, the match statement will break things because all events will all match the match key