https://community.splunk.com/t5/Splunk-Search/How-do-I-construct-a-table-with-values-being-evaluated-per/m-p/181705#M52374 <P>That sounds like a solution indeed, but I got stuck with Splunk 4.3.6 at least till the end of a year, any idea if it can be done without lookup? Maybe hard-coded evals per name?</P> Thu, 23 Oct 2014 19:26:52 GMT giovere 2014-10-23T19:26:52Z https://community.splunk.com/t5/Splunk-Search/How-do-I-construct-a-table-with-values-being-evaluated-per/m-p/181697#M52366 <P>I'm not sure I've used the correct terminolgy to ask a question, so I'll jump into example:</P> <P>input:</P> <PRE><CODE>Name,beers Bob,6 Anna,7 Bob,4 Anna,3 Anna,9 Bob,10 Bob,11 </CODE></PRE> <P>I want to count how many times Bob was below 5 and count how many times Anna was below 8. In this case, desired output looks like this:</P> <PRE><CODE> Name,Below,Above Anna,2,1 Bob,1,3 </CODE></PRE> <P>In my struggles came up with this:</P> <PRE><CODE>search ... | eval Desc=case(beers&lt;=5, "Below", beers&gt;5, "Above") | chart count over Name by Desc </CODE></PRE> <P>This would have worked, if I had one criteria, but each of the names have its own.<BR /> Thanks in advance ...</P> Thu, 23 Oct 2014 14:32:28 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-construct-a-table-with-values-being-evaluated-per/m-p/181697#M52366 giovere 2014-10-23T14:32:28Z https://community.splunk.com/t5/Splunk-Search/How-do-I-construct-a-table-with-values-being-evaluated-per/m-p/181698#M52367 <P>Can you clarify what are the columns names.<BR /> In your example we also see that Bob appears several time.<BR /> Bob,6<BR /> Bob,4<BR /> Bob,10<BR /> Bob,11</P> <P>do you want sum all the numbers first ?<BR /> user=Bob count=31</P> <P>then compare count&gt;5 or &lt;8 ?</P> Thu, 23 Oct 2014 14:36:47 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-construct-a-table-with-values-being-evaluated-per/m-p/181698#M52367 yannK 2014-10-23T14:36:47Z https://community.splunk.com/t5/Splunk-Search/How-do-I-construct-a-table-with-values-being-evaluated-per/m-p/181699#M52368 <P>Column names are: Name and beers.</P> <P>I'd like first to conut how many entries with Bob have beers &gt;5 (and &lt;=5) and populate table with that count per name.</P> Thu, 23 Oct 2014 14:52:07 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-construct-a-table-with-values-being-evaluated-per/m-p/181699#M52368 giovere 2014-10-23T14:52:07Z https://community.splunk.com/t5/Splunk-Search/How-do-I-construct-a-table-with-values-being-evaluated-per/m-p/181700#M52369 <P>You say each name has its own comparison value, but where does that come from? It's hard to know how to construct a search without knowing where the input comes from?</P> Thu, 23 Oct 2014 15:11:18 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-construct-a-table-with-values-being-evaluated-per/m-p/181700#M52369 gkanapathy 2014-10-23T15:11:18Z https://community.splunk.com/t5/Splunk-Search/How-do-I-construct-a-table-with-values-being-evaluated-per/m-p/181701#M52370 <P>Comparision values (thresholds) are hard-coded, have to be passed through a query. I agree it is sort of ugly, but I do not have any other way to get them in Splunk.</P> Thu, 23 Oct 2014 15:18:09 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-construct-a-table-with-values-being-evaluated-per/m-p/181701#M52370 giovere 2014-10-23T15:18:09Z https://community.splunk.com/t5/Splunk-Search/How-do-I-construct-a-table-with-values-being-evaluated-per/m-p/181702#M52371 <P>Your search looks ok then,it will update the Desc field for each time the condition is met, and you do the chart count of it</P> <P>try this</P> <P><CODE>search ... | eval Desc=case(beers&lt;=5, "Below", beers&gt;5, "Above", 1=1,"other") | stats count by Name Desc</CODE></P> <P><CODE>search ... | eval Desc=case(beers&lt;=5, "Below", beers&gt;5, "Above", 1=1,"other") | chart count by Name Desc</CODE></P> <P>An alternate method is :</P> <P><CODE>search ... | eval Above=if(beers&gt;5,1,0) | eval Below=if(beers&lt;=5,1,0)| stats sum(Above) AS times_Above sum(Below) AS times_Below by Name</CODE></P> Thu, 23 Oct 2014 16:44:51 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-construct-a-table-with-values-being-evaluated-per/m-p/181702#M52371 yannK 2014-10-23T16:44:51Z https://community.splunk.com/t5/Splunk-Search/How-do-I-construct-a-table-with-values-being-evaluated-per/m-p/181703#M52372 <P>Thank you yannK, I'll give it a try tomorrow, but so far I do not understand where would you define condition for Anna and other names?</P> Thu, 23 Oct 2014 18:31:34 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-construct-a-table-with-values-being-evaluated-per/m-p/181703#M52372 giovere 2014-10-23T18:31:34Z https://community.splunk.com/t5/Splunk-Search/How-do-I-construct-a-table-with-values-being-evaluated-per/m-p/181704#M52373 <P>I see, you want the conditions to be different <EM>PER NAME</EM><BR /> by example Anna is above after 1 beer, but Bob after 5.</P> <P>You need a lookup with those limits in it, one line per name and one columns with the limit value.<BR /> call it as a lookup to add the detail to each event, then add the eval conditions after using those files instead of static values.</P> <P>see lookups. they are simple csv files to upload.<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.1.4/SearchReference/Lookup">http://docs.splunk.com/Documentation/Splunk/6.1.4/SearchReference/Lookup</A></P> <P>example of lookup :<BR /> Name,limit<BR /> Bob,5<BR /> Anna,1</P> <P>Then after defining it call it<BR /> <CODE>search ... | lookup mylookup Name | eval Desc=case(beers&lt;=limit, "Below", beers&gt;limit, "Above", 1=1,"other") | stats count by Name Desc</CODE></P> Thu, 23 Oct 2014 19:01:32 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-construct-a-table-with-values-being-evaluated-per/m-p/181704#M52373 yannK 2014-10-23T19:01:32Z https://community.splunk.com/t5/Splunk-Search/How-do-I-construct-a-table-with-values-being-evaluated-per/m-p/181705#M52374 <P>That sounds like a solution indeed, but I got stuck with Splunk 4.3.6 at least till the end of a year, any idea if it can be done without lookup? Maybe hard-coded evals per name?</P> Thu, 23 Oct 2014 19:26:52 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-construct-a-table-with-values-being-evaluated-per/m-p/181705#M52374 giovere 2014-10-23T19:26:52Z https://community.splunk.com/t5/Splunk-Search/How-do-I-construct-a-table-with-values-being-evaluated-per/m-p/181706#M52375 <P>Probably not the best solution if you have a lot of names, but works Ok with small number of names and Splunk 4.3.*, otherwise with Splunk6 yannK's solution should work fine.</P> <P><CODE>search ... | eval desc=if(match(name,"Bob"),case(beers&lt;=5,"Below",beers&gt;5,"Above"),if(match(name,"Anna"),case(beers&lt;=8,"Below",beers&gt;8,"Above"),"New name")) | stats count(eval(desc="Below")) AS "Below", count(eval(desc="Above")) AS Above by name<BR /> </CODE></P> Fri, 31 Oct 2014 10:54:35 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-construct-a-table-with-values-being-evaluated-per/m-p/181706#M52375 giovere 2014-10-31T10:54:35Z