Splunk Enterprise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to concatenate different stats and counting fields.

loren3737
Explorer
‎03-15-2019 12:57 PM

I am trying to create a stats table that looks like the following:

Side,RTU1,RTU2,RTU3,RAD1,RAD2,RAD3
Status,0,1,1,20,4,13

Where the values for RTU is the on/off status and RAD is the time in the given state. The current search that I am performing completes the subset of the table.

Table:

Side,RTU1,RTU2,RTU3
Status,0,1,1

Search:

sourcetype="snmp_ta"
| rex "::(?<a1>etcRtuConnectionName)\.\"(?<b1>\d+)\"\s+\=\s+\"(?<c1>.*?)\"" max_match=0
| rex "::(?<a2>etcRtuConnectionStatus)\.\"(?<b2>\d+)\"\s+\=\s+\"(?<c2>\S+)\"" max_match=0
| eval d=mvzip(c1,c2)
| mvexpand d
| eval e=mvindex(split(d,","),0), f=mvindex(split(d,","),1)
| table e f _time
| sort _time DESC
| rename e as rtu
| rename f as state 
| eval {rtu}=case(state LIKE "online",1,state LIKE "offline",0,state LIKE "unknown",0,state LIKE "failed",0)
| eval side="Status"
| field - _time rtu
| stats values(*) as * by side

It seems like it could be possible to use a command like 

| stats count(*==0)

or 

|  stats count(*==1)

However, both those commands are incorrect syntax and adding a second stats command seems to override the first.

Looking for some insights, thank you so much!

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top