https://community.splunk.com/t5/Splunk-Search/Conditional-count-in-stats-function/m-p/171592#M49181 <P>I need to do the following:</P> <P>Get a distinct count of serial numbers where a selected date falls within a particular range. Figuring out if a serial number is valid per table row is easy:</P> <PRE><CODE>eval inService=if(enteredService&lt;beginTime AND (isnull(leftService) OR leftService&gt;beginTime),1,0) </CODE></PRE> <P>The problem is I want to sum up all of these 1s but only once for each distinct serial number (a serial number can appear in the table multiple times).</P> <P>Currently my stats line looks like this:</P> <PRE><CODE>stats sum(quarterPortion) AS sumQuarter dc(serialNumber) AS countSerNum by modelClass </CODE></PRE> <P>I'm trying to get a ratio between sumQuarter (the amount something is used) and countSerNum (the number of things available for use). This is set up so that I can look at any historical quarter for sumQuarter, but sadly dc(serialNumber) only gives me the current count, not the historical count for the selected timeframe.</P> <P>This is coming from a database query, so I can't just restrict the time range ahead of the search. I want to do something like this:</P> <PRE><CODE>dc(eval if(enteredService&lt;beginTime AND (isnull(leftService) OR leftService&gt;beginTime),serNum)) </CODE></PRE> <P>Obviously this doesn't exactly work.</P> Tue, 05 Aug 2014 17:51:52 GMT willial 2014-08-05T17:51:52Z https://community.splunk.com/t5/Splunk-Search/Conditional-count-in-stats-function/m-p/171592#M49181 <P>I need to do the following:</P> <P>Get a distinct count of serial numbers where a selected date falls within a particular range. Figuring out if a serial number is valid per table row is easy:</P> <PRE><CODE>eval inService=if(enteredService&lt;beginTime AND (isnull(leftService) OR leftService&gt;beginTime),1,0) </CODE></PRE> <P>The problem is I want to sum up all of these 1s but only once for each distinct serial number (a serial number can appear in the table multiple times).</P> <P>Currently my stats line looks like this:</P> <PRE><CODE>stats sum(quarterPortion) AS sumQuarter dc(serialNumber) AS countSerNum by modelClass </CODE></PRE> <P>I'm trying to get a ratio between sumQuarter (the amount something is used) and countSerNum (the number of things available for use). This is set up so that I can look at any historical quarter for sumQuarter, but sadly dc(serialNumber) only gives me the current count, not the historical count for the selected timeframe.</P> <P>This is coming from a database query, so I can't just restrict the time range ahead of the search. I want to do something like this:</P> <PRE><CODE>dc(eval if(enteredService&lt;beginTime AND (isnull(leftService) OR leftService&gt;beginTime),serNum)) </CODE></PRE> <P>Obviously this doesn't exactly work.</P> Tue, 05 Aug 2014 17:51:52 GMT https://community.splunk.com/t5/Splunk-Search/Conditional-count-in-stats-function/m-p/171592#M49181 willial 2014-08-05T17:51:52Z https://community.splunk.com/t5/Splunk-Search/Conditional-count-in-stats-function/m-p/171593#M49182 <P>May be something like this...</P> <PRE><CODE>your base search | eval inService=if(enteredService&lt;beginTime AND (isnull(leftService) OR leftService&gt;beginTime),1,0) | stats sum(quarterPortion) AS sumQuarter dc(serialNumber) AS countSerNum by modelClass,inService |eval countSerNum=countSerNum*inService | stats sum(sumQuarter) as sumQuarter max(countSerNum) as countSerNum by modelClass </CODE></PRE> <P>OR </P> <PRE><CODE>your base search | eval serialNumber=if(enteredService&lt;beginTime AND (isnull(leftService) OR leftService&gt;beginTime),serialNumber,null())| stats sum(quarterPortion) AS sumQuarter dc(serialNumber) AS countSerNum by modelClass </CODE></PRE> Tue, 05 Aug 2014 18:11:31 GMT https://community.splunk.com/t5/Splunk-Search/Conditional-count-in-stats-function/m-p/171593#M49182 somesoni2 2014-08-05T18:11:31Z https://community.splunk.com/t5/Splunk-Search/Conditional-count-in-stats-function/m-p/171594#M49183 <P>I think #2 is working properly (as far as I can tell). I'll revisit this if I discover I'm wrong. Otherwise, high marks for cleverness.</P> Tue, 05 Aug 2014 18:48:03 GMT https://community.splunk.com/t5/Splunk-Search/Conditional-count-in-stats-function/m-p/171594#M49183 willial 2014-08-05T18:48:03Z