- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Splunk Query Help
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a table like below
Test_ID Test_Name Status
123 Test1 Passed
123 Test2 Passed
123 Test3 Failed
123 Test4 Passed
345 Test1 Failed
345 Test2 Passed
567 Test1 Passed
567 Test2 Passed
567 . Test3 Passed
So above table has for each Test ID , there are multiple test name and results for each test name.
Now i need to get the unique count of Test_ID only if all the all the test_name in each id are passed. So ideally from above table i should get count as only 1 ....because only Test ID = 567 has passed in all test.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@NAVEEN_CTS - Try something like below-
index=<yourindex>| stats count(eval(Status="Passed")) as P, count(eval(Status="Failed")) as F by Test_ID| where F=0 and P>0| stats count(Test_ID)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Give a try
yourquery....| stats values(Test_Name) as Test_Name, values(Status) as Status by Test_ID | where mvcount(Status)=1 AND Status="Passed"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Alright this should do it:
<your_base_search>
| stats values(Status) as statuses by Test_ID
| where isnull(mvfind(statuses,"Failed"))
| stats count
Explanation:
| stats values(Status) as statuses by Test_ID- creates a multivalue field named "statuses" which contains all the possible values of Status for each Test_ID| where isnull(mvfind(statuses,"Failed"))- excludes any results of the multivalue field statuses that contain a value = to "Failed" - note this uses REGEX so it's case sensitive| stats count- counts the number of results that passed the where clause
Hope this helps
What I ran to test:
| makeresults 1 | eval Test_ID=123, Test_Name="Test1", Status="Passed"
| append [| makeresults 1 | eval Test_ID=123, Test_Name="Test2", Status="Passed"]
| append [| makeresults 1 | eval Test_ID=123, Test_Name="Test3", Status="Failed"]
| append [| makeresults 1 | eval Test_ID=123, Test_Name="Test4", Status="Passed"]
| append [| makeresults 1 | eval Test_ID=345, Test_Name="Test1", Status="Failed"]
| append [| makeresults 1 | eval Test_ID=345, Test_Name="Test2", Status="Passed"]
| append [| makeresults 1 | eval Test_ID=567, Test_Name="Test1", Status="Passed"]
| append [| makeresults 1 | eval Test_ID=567, Test_Name="Test2", Status="Passed"]
| append [| makeresults 1 | eval Test_ID=567, Test_Name="Test3", Status="Passed"]
| stats values(Status) as statuses by Test_ID
| where isnull(mvfind(statuses,"Failed"))
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@NAVEEN_CTS - Try something like below-
index=<yourindex>| stats count(eval(Status="Passed")) as P, count(eval(Status="Failed")) as F by Test_ID| where F=0 and P>0| stats count(Test_ID)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you @Vijeta . This worked 🙂
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
