How to count files in which multiple fields meet c...

fzhao2 · ‎02-21-2019

I have a few files. They all have the same columns and look like this:

timestamp           field1    field2
...
1544079360.84132    99
1544079363.52629              98
1544081067.48075              100
1544081377.48521    100
...

I want to count the files that both field1 and field2 reached 100 or above.

I tried:

... | search field1>=100 AND field2>=100

but it didn't work. I believe it's because there were null values.

So I tried filldown:

... | filldown field1, field2

but it's still not working.

I also tried eventstats and no luck. And I don't prefer eventstats as it gets very slow when data is increasing.

Any thoughts? Thank you!

vinod94 · ‎02-22-2019

Hi @fzhao2,

try this...

....|where field1>=100 OR field2>=100

Worked for me

| makeresults 
| eval field1="99, , ,100" 
| makemv delim="," field1 
| mvexpand field1 
| appendcols 
    [| makeresults 
    | eval field2=", ,98,100, ," 
    | makemv delim="," field2 
    | mvexpand field2] 
|where field1>=100 OR field2>=100

renjith_nair · ‎02-21-2019

@fzhao2 ,

You might want an OR instead of AND since you dont have values for both fields at the same time.

---
What goes around comes around. If it helps, hit it with Karma 🙂

How to count files in which multiple fields meet certain conditions?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

GA: New Data Management App in Splunk Platform

Announcing Modern Navigation: A New Era of Splunk User Experience

Join the Conversation