Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to filter streamstats results for two equal variables?

like2splunk
Explorer
‎05-04-2017 11:36 AM

My search code is as follows:

index="logs" host=tcr2
"Transitioned to Error State" OR "BeamResult Received" OR "scanning controller went to error" OR "session is closed" OR "BeamContext:" 
| dedup description consecutive=true
| reverse
| streamstats count(eval(searchmatch("BeamContext:"))) AS SessionID
| stats count(eval(searchmatch("Transitioned to Error State"))) AS error_count count(eval(searchmatch("scanning controller went to error"))) AS qualify_count count(eval(searchmatch("patientId"))) AS patient_count list(_raw) AS _raw BY SessionID
| search error_count>0 qualify_count>0 patient_count>0

Notice the last line. What I want is to be able to search for error_count=qualify_count as well. But when I do this, I get zero results even though I know for sure that there are such scenarios. I only want the results of streamstats for a given "SessionID" in which the number for "error_count" is equal to the number for "qualify_count". Any ideas?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Drahgkar
Engager
‎05-04-2017 05:51 PM

If you're just trying to find where error_count is equal to qualify_count and patient_count is greater than 0, this snippet that incorporates somesoni2's comment above should work:

| where error_count=qualify_count AND patient_count>0

View solution in original post

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎05-11-2017 10:52 PM

As others have indicated, the combined solution should be replacing your last line with something like this:

 | where (error_count>0 AND qualify_count>0 AND patient_count>0) OR (error_count=qualify_count)
0 Karma
Reply
Solved! Jump to solution
Solution

Drahgkar
Engager
‎05-04-2017 05:51 PM

If you're just trying to find where error_count is equal to qualify_count and patient_count is greater than 0, this snippet that incorporates somesoni2's comment above should work:

| where error_count=qualify_count AND patient_count>0
0 Karma
Reply
Solved! Jump to solution

somesoni2
SplunkTrust
SplunkTrust
‎05-04-2017 02:24 PM

Since you're dealing in numbers, use the where command instead of search.

0 Karma
Reply
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...