Splunk Enterprise
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Platform
- :
- Splunk Enterprise
- :
- How to filter streamstats results for two equal va...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
like2splunk
Explorer
05-04-2017
11:36 AM
My search code is as follows:
index="logs" host=tcr2
"Transitioned to Error State" OR "BeamResult Received" OR "scanning controller went to error" OR "session is closed" OR "BeamContext:"
| dedup description consecutive=true
| reverse
| streamstats count(eval(searchmatch("BeamContext:"))) AS SessionID
| stats count(eval(searchmatch("Transitioned to Error State"))) AS error_count count(eval(searchmatch("scanning controller went to error"))) AS qualify_count count(eval(searchmatch("patientId"))) AS patient_count list(_raw) AS _raw BY SessionID
| search error_count>0 qualify_count>0 patient_count>0
Notice the last line. What I want is to be able to search for error_count=qualify_count as well. But when I do this, I get zero results even though I know for sure that there are such scenarios. I only want the results of streamstats for a given "SessionID" in which the number for "error_count" is equal to the number for "qualify_count". Any ideas?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Drahgkar
Engager
05-04-2017
05:51 PM
If you're just trying to find where error_count is equal to qualify_count and patient_count is greater than 0, this snippet that incorporates somesoni2's comment above should work:
| where error_count=qualify_count AND patient_count>0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
05-11-2017
10:52 PM
As others have indicated, the combined solution should be replacing your last line with something like this:
| where (error_count>0 AND qualify_count>0 AND patient_count>0) OR (error_count=qualify_count)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Drahgkar
Engager
05-04-2017
05:51 PM
If you're just trying to find where error_count is equal to qualify_count and patient_count is greater than 0, this snippet that incorporates somesoni2's comment above should work:
| where error_count=qualify_count AND patient_count>0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
05-04-2017
02:24 PM
Since you're dealing in numbers, use the where command instead of search.
Get Updates on the Splunk Community!
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
