Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to filter streamstats results for two equal variables?

like2splunk
Explorer
‎05-04-2017 11:36 AM

My search code is as follows:

index="logs" host=tcr2
"Transitioned to Error State" OR "BeamResult Received" OR "scanning controller went to error" OR "session is closed" OR "BeamContext:" 
| dedup description consecutive=true
| reverse
| streamstats count(eval(searchmatch("BeamContext:"))) AS SessionID
| stats count(eval(searchmatch("Transitioned to Error State"))) AS error_count count(eval(searchmatch("scanning controller went to error"))) AS qualify_count count(eval(searchmatch("patientId"))) AS patient_count list(_raw) AS _raw BY SessionID
| search error_count>0 qualify_count>0 patient_count>0

Notice the last line. What I want is to be able to search for error_count=qualify_count as well. But when I do this, I get zero results even though I know for sure that there are such scenarios. I only want the results of streamstats for a given "SessionID" in which the number for "error_count" is equal to the number for "qualify_count". Any ideas?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Drahgkar
Engager
‎05-04-2017 05:51 PM

If you're just trying to find where error_count is equal to qualify_count and patient_count is greater than 0, this snippet that incorporates somesoni2's comment above should work:

| where error_count=qualify_count AND patient_count>0

View solution in original post

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎05-11-2017 10:52 PM

As others have indicated, the combined solution should be replacing your last line with something like this:

 | where (error_count>0 AND qualify_count>0 AND patient_count>0) OR (error_count=qualify_count)
0 Karma
Reply
Solved! Jump to solution
Solution

Drahgkar
Engager
‎05-04-2017 05:51 PM

If you're just trying to find where error_count is equal to qualify_count and patient_count is greater than 0, this snippet that incorporates somesoni2's comment above should work:

| where error_count=qualify_count AND patient_count>0
0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎05-04-2017 02:24 PM

Since you're dealing in numbers, use the where command instead of search.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | A sphere has three, a circle has two, and a point has zero. What is it?

September 2023 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...