Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Summary Index - How to count using eval on a specific field equals to true

beriwalnishant
Path Finder
‎01-06-2022 03:27 AM

Hi Team,

I am stuck with a query that is not working.

I have set up a summary index that collects data every 1 hour and every 15min.

I have a field 'isCostChanged' which I want to count basis 'Yes' and 'No' in Summary Index.

Using this query :

index=summary-my-sumdata splunk_server_group=default reporttype=costchangecount reporttime=fifteenmin isCostChanged=*

| stats sum(count) as Total, sum(eval(isCostChanged="true")) as CostChanged, sum(eval(isCostChanged="false")) as NoCostChanged by CountryCode
| eval CostChangeRatio=round((CostChanged/Total)*100,2)
| eval NoCostChangeRatio=round((NoCostChanged/Total)*100,2)
| fields CountryCode, NoCostChanged, CostChanged, CostChangeRatio

 

What its doing - Total count is correct but the count for isCostChanged=true and =false is not correct, the count is less

if I do this below to verify the data, the count is correct

| stats sum(count) as Total by isCostChanged

Can you help how to achieve this 

Thanks in advance 

Nishant

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-06-2022 04:33 AM

Summing count as total is not the same as counting change and no change events

index=summary-my-sumdata splunk_server_group=default reporttype=costchangecount reporttime=fifteenmin isCostChanged=*

| eval changeCost=if(isCostChanged="true",count,0)
| eval noChangeCost=if(isCostChanged="false",count,0)
| stats sum(count) as Total, sum(changeCost) as CostChanged, sum(noChangeCost) as NoCostChanged by CountryCode
| eval CostChangeRatio=round((CostChanged/Total)*100,2)
| eval NoCostChangeRatio=round((NoCostChanged/Total)*100,2)
| fields CountryCode, NoCostChanged, CostChanged, CostChangeRatio

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-06-2022 04:33 AM

Summing count as total is not the same as counting change and no change events

index=summary-my-sumdata splunk_server_group=default reporttype=costchangecount reporttime=fifteenmin isCostChanged=*

| eval changeCost=if(isCostChanged="true",count,0)
| eval noChangeCost=if(isCostChanged="false",count,0)
| stats sum(count) as Total, sum(changeCost) as CostChanged, sum(noChangeCost) as NoCostChanged by CountryCode
| eval CostChangeRatio=round((CostChanged/Total)*100,2)
| eval NoCostChangeRatio=round((NoCostChanged/Total)*100,2)
| fields CountryCode, NoCostChanged, CostChanged, CostChangeRatio
Reply
Solved! Jump to solution

beriwalnishant
Path Finder
‎01-06-2022 04:53 AM

@ITWhisperer 
Though I dont doubt this query and sure is the most simple one but i just want to see the different ways people have before I click on 'Accept as solution'

Which I will do just want to see what others come up with - good to have more than one solution


0 Karma
Reply
Solved! Jump to solution

beriwalnishant
Path Finder
‎01-06-2022 04:52 AM

Incredibly brilliant sir @ITWhisperer 

That was awesome, it's so sad that on SI the simple sum(eval) doesn't work but no issues with your work around rocks.

I checked and **bleep**, the count is bang on.

The solution will make my queries lengthy but no worries as its a simple workaround 

 

Thanks a lot again

0 Karma
Reply
Get Updates on the Splunk Community!

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Index This | What goes away as soon as you talk about it?

May 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025

This month, we’re delivering several new innovations in Splunk Observability Cloud and Splunk AppDynamics ...
Top