Knowledge Management
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to count files in which multiple fields meet certain conditions?

fzhao2
Engager
‎02-21-2019 03:45 PM

I have a few files. They all have the same columns and look like this:

timestamp           field1    field2
...
1544079360.84132    99
1544079363.52629              98
1544081067.48075              100
1544081377.48521    100
...

I want to count the files that both field1 and field2 reached 100 or above.

I tried:

... | search field1>=100 AND field2>=100

but it didn't work. I believe it's because there were null values.

So I tried filldown:

... | filldown field1, field2

but it's still not working.

I also tried eventstats and no luck. And I don't prefer eventstats as it gets very slow when data is increasing.

Any thoughts? Thank you!

0 Karma
Reply

vinod94
Contributor
‎02-22-2019 02:57 AM

Hi @fzhao2,

try this...

....|where field1>=100 OR field2>=100

Worked for me

| makeresults 
| eval field1="99, , ,100" 
| makemv delim="," field1 
| mvexpand field1 
| appendcols 
    [| makeresults 
    | eval field2=", ,98,100, ," 
    | makemv delim="," field2 
    | mvexpand field2] 
|where field1>=100 OR field2>=100
0 Karma
Reply

renjith_nair
Legend
‎02-21-2019 07:51 PM

@fzhao2 ,

You might want an OR instead of AND since you dont have values for both fields at the same time.

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Splunk Observability Metrics Cost Optimization

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...