Splunk Enterprise
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Platform
- :
- Splunk Enterprise
- :
- How to filter streamstats results for two equal va...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
like2splunk
Explorer
05-04-2017
11:36 AM
My search code is as follows:
index="logs" host=tcr2
"Transitioned to Error State" OR "BeamResult Received" OR "scanning controller went to error" OR "session is closed" OR "BeamContext:"
| dedup description consecutive=true
| reverse
| streamstats count(eval(searchmatch("BeamContext:"))) AS SessionID
| stats count(eval(searchmatch("Transitioned to Error State"))) AS error_count count(eval(searchmatch("scanning controller went to error"))) AS qualify_count count(eval(searchmatch("patientId"))) AS patient_count list(_raw) AS _raw BY SessionID
| search error_count>0 qualify_count>0 patient_count>0
Notice the last line. What I want is to be able to search for error_count=qualify_count as well. But when I do this, I get zero results even though I know for sure that there are such scenarios. I only want the results of streamstats for a given "SessionID" in which the number for "error_count" is equal to the number for "qualify_count". Any ideas?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Drahgkar
Engager
05-04-2017
05:51 PM
If you're just trying to find where error_count is equal to qualify_count and patient_count is greater than 0, this snippet that incorporates somesoni2's comment above should work:
| where error_count=qualify_count AND patient_count>0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
05-11-2017
10:52 PM
As others have indicated, the combined solution should be replacing your last line with something like this:
| where (error_count>0 AND qualify_count>0 AND patient_count>0) OR (error_count=qualify_count)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Drahgkar
Engager
05-04-2017
05:51 PM
If you're just trying to find where error_count is equal to qualify_count and patient_count is greater than 0, this snippet that incorporates somesoni2's comment above should work:
| where error_count=qualify_count AND patient_count>0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
05-04-2017
02:24 PM
Since you're dealing in numbers, use the where command instead of search.
Get Updates on the Splunk Community!
See your relevant APM services, dashboards, and alerts in one place with the updated ...
As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Index This | What goes away as soon as you talk about it?
May 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this month’s ...
What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025
This month, we’re delivering several new innovations in Splunk Observability Cloud and Splunk AppDynamics ...
