https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-get-the-count-of-a-decision-field/m-p/333661#M99220 <P>I tried the query and the results are either 1 or 0 . </P> <P>i also tried with another numerical field " reasonCode" ( like below) , but same results.</P> <P>| stats count(eval(reasonCode="100")) as ACCEPTED by BATCHID</P> <P>sample output<BR /> ACCEPTED<BR /> 1<BR /><BR /> 1 </P> Thu, 20 Apr 2017 06:42:14 GMT sukundur 2017-04-20T06:42:14Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-get-the-count-of-a-decision-field/m-p/333657#M99216 <P>Hi <BR /> I am trying to get the count if a field decision="ACCEPT" or decision="REJECT" by merchant and his ID , but count only return 1 or 0. </P> <PRE><CODE>mysearch .... | transaction alp_batchid startswith="Got file to process: /var/mware/alp/validated" endswith="processed successfully" |rename alp_merchantid as MERCHANTID,alp_batchid as BATCHID,olp_batch_amount as BATCH_AMOUNT,alp_batch_start_time as START_TIME,alp_batch_end_time as END_TIME | eval msg_accepted=if(decision="ACCEPT", 1, 0) | eval msg_rejected=if(decision="REJECT", 1, 0) |eventstats sum(msg_accepted) as ACCEPTED, sum(msg_rejected) as REJECTED,dc(requestID) as BATCH_RECORD_CNT by MERCHANTID,BATCHID | table MERCHANTID, BATCHID,BATCH_RECORD_CNT,ACCEPTED,REJECTED,START_TIME,END_TIME,BATCH_DURATION </CODE></PRE> <P>Issue : ACCEPTED and REJECTED fields are either 1/0.</P> <P>I am trying to use below function to get the count of decision="ACCEPT" or decision="REJECT" but they return either 1 or 0 where there are a total of 100+</P> <PRE><CODE>| eval msg_accepted=if(decision="ACCEPT", 1, 0) | eval msg_rejected=if(decision="REJECT", 1, 0) |eventstats sum(msg_accepted) as ACCEPTED, sum(msg_rejected) as REJECTED,dc(requestID) as BATCH_RECORD_CNT by MERCHANTID,BATCHID </CODE></PRE> Tue, 18 Apr 2017 23:13:45 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-get-the-count-of-a-decision-field/m-p/333657#M99216 sukundur 2017-04-18T23:13:45Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-get-the-count-of-a-decision-field/m-p/333658#M99217 <P>Why are you building a transaction? I can't tell if you are using it or not. Are you sure that ACCEPT and REJECT are capitalized in the data, and that the decision field actually exists?</P> Wed, 19 Apr 2017 04:02:06 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-get-the-count-of-a-decision-field/m-p/333658#M99217 lguinn2 2017-04-19T04:02:06Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-get-the-count-of-a-decision-field/m-p/333659#M99218 <P>Perhaps this will be what you want</P> <PRE><CODE>mysearch .... | stats count(eval(decision=="ACCEPT")) as ACCEPTED count(eval(decision=="REJECT")) as REJECTED dc(requestID) as BATCH_RECORD_CNT by alp_merchantid alp_batchid alp_batch_start_time alp_batch_end_time |rename alp_merchantid as MERCHANTID, alp_batchid as BATCHID, olp_batch_amount as BATCH_AMOUNT, alp_batch_start_time as START_TIME, alp_batch_end_time as END_TIME </CODE></PRE> Wed, 19 Apr 2017 04:06:49 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-get-the-count-of-a-decision-field/m-p/333659#M99218 lguinn2 2017-04-19T04:06:49Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-get-the-count-of-a-decision-field/m-p/333660#M99219 <P>yes they are capitals. </P> Thu, 20 Apr 2017 05:31:47 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-get-the-count-of-a-decision-field/m-p/333660#M99219 sukundur 2017-04-20T05:31:47Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-get-the-count-of-a-decision-field/m-p/333661#M99220 <P>I tried the query and the results are either 1 or 0 . </P> <P>i also tried with another numerical field " reasonCode" ( like below) , but same results.</P> <P>| stats count(eval(reasonCode="100")) as ACCEPTED by BATCHID</P> <P>sample output<BR /> ACCEPTED<BR /> 1<BR /><BR /> 1 </P> Thu, 20 Apr 2017 06:42:14 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-get-the-count-of-a-decision-field/m-p/333661#M99220 sukundur 2017-04-20T06:42:14Z