topic Re: conditional distinct count in Splunk Search

conditional distinct count

zahmadian — Mon, 28 Sep 2020 19:52:50 GMT

Hello,

Is there a way I can merge these two searches into a single conditional search?

index="webs" (process_resource>0) AND (subs_id>0)| bucket _time span=1h |stats distinct_count(process_id) as NumProcesses by _time

index="webs" (process_resource==0) AND (subs_id>0)| bucket _time span=1h |stats distinct_count(process_id) as NumProcesses0 by _time

Re: conditional distinct count

stephanefotso — Mon, 28 Sep 2020 19:52:53 GMT

Here you go with appendcols!

index="webs" (process_resource>0) subs_id>0| bucket _time span=1h |stats distinct_count(process_id) as NumProcesses by _time|appendcols [search index="webs" (process_resource>0) subs_id>0| bucket _time span=1h |stats distinct_count(process_id) as NumProcesses0 by _time]|table _time NumProcesses NumProcesses0

Re: conditional distinct count

Runals — Mon, 28 Sep 2020 19:53:01 GMT

index = webs process_resource>=0 subs_id>0 | bucket span=1h _time | stats dc(eval(process_resource>0)) as NumProcesses dc(eval(process_reaource=0)) as NumProcesses0 by _time

Re: conditional distinct count

sideview — Tue, 12 May 2015 05:35:56 GMT

I suspect you want something like this. It uses an eval command to make a new field on each event called "type". For each event the value will be either "zero" or "greater than zero", depending. Then we simply use timechart to render the chart you already had, except we split it by our new type field.

index="webs" (process_resource>=0) AND (subs_id>0) 
| eval type=if(process_resource==0,"zero","greater_than_zero") 
| timechart span=1h distinct_count(process_id) by type