Splunk Search

How do I return the number of times a specified value appears in a field?

andrew_f_trobec
Explorer

Hello,

I have a simple issue that I can't resolve, and was hoping for support. I have the following data:

OBJECT ID,NEW STATE
1,STATE ONE
1,STATE TWO
1,STATE THREE
2,STATE ONE
2,STATE TWO
2,STATE ONE

My objective is to return the amount of times that "STATE ONE" appears. I have the following code:

index = "SAMPLE INDEX" | stats count(eval("NEW STATE" = "STATE ONE")) as "COUNT"

I was hoping that this would return "COUNT" = 3, but it keeps returning 0.

What am I missing?

Any help would be greatly appreciated. Thank you!

Andrew

Tags (1)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try like this

index = "SAMPLE INDEX" "NEW STATE"="STATE ONE" | stats count as "COUNT"

OR (field name with spaces should be enclosed in single quotes)

index = "SAMPLE INDEX" | stats count(eval('NEW STATE' = "STATE ONE")) as "COUNT"

View solution in original post

gokadroid
Motivator

I hope its not doing a string compare and then returning false of comparing the "NEW STATE" as a string rather than "NEW STATE" as a field with "STATE ONE". Try to extract the fieldname as single worded text like and see if it resolves:

yourQuery to return data
| rex "^(?<objectId>[^,]+),(?<newState>).*)$"
| stats count(eval(newState="STATE ONE")) as COUNT
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try like this

index = "SAMPLE INDEX" "NEW STATE"="STATE ONE" | stats count as "COUNT"

OR (field name with spaces should be enclosed in single quotes)

index = "SAMPLE INDEX" | stats count(eval('NEW STATE' = "STATE ONE")) as "COUNT"

andrew_f_trobec
Explorer

Stupid double quotes! Thank you!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...