Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Calculation based on field matching counts of a value

prabhu_kar
New Member
‎09-03-2013 09:37 PM

We have a CSV fields set defined (shortening it here),

Txn,Destination,Status

test1,NY,Pass

test2,NY,Pass

test2,NY,Pass

test2,NY,Pass

test2,NY,Fail

test1,NY,Pass

test2,NY,Pass

test1,NY,Fail

test2,NY,Fail

Destinations vary as well (taking a simpler case)

Trying to get something very simple then will group by Destination later on

TXN SUCCESS FAILURE RATE
test1 count(Status=Pass) count(Status=Fail)/( count(Status=Pass)+count(Status=Fail))

Iam trying stuff but somehow i cant find a way to search in one search two different count values.. not sure if iam trying to do anything complex here

thanks

Prabhu

Tags (2)
0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎09-03-2013 11:24 PM

Hi prabhu_kar

if i get you correct, you can use the following sample to get a count of certain Status field values:

... | stats count(eval(Status=Pass)) as PassCount by Destination

the PassCount is a new field, which is needed and can be used further.

hope this is some kind of helpful

cheers, MuS

0 Karma
Reply

prabhu_kar
New Member
‎09-04-2013 03:35 AM

Thanks MuS 🙂

0 Karma
Reply

landen99
Motivator
‎12-01-2014 08:49 AM

Just wondering if

|top limit=0 Status by Destination

doesn't do what you want?

top documentation for the options and the usage for top.

0 Karma
Reply

HiroshiSatoh
Champion
‎09-03-2013 11:18 PM

How is such a feeling?

・・・・|stats count as All,count(eval(Status="Pass")) as SUCCESS,count(eval(Status="Fail")) as Fail by Txn|eval "FAILURE RATE"=Fail / All | table Txn,SUCCESS,"FAILURE RATE"

Reply

prabhu_kar
New Member
‎09-04-2013 03:35 AM

Right what I was looking for 🙂

Thanks Hiroshi

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎09-03-2013 11:27 PM

dammit, you beat me on that - need to index more coffee 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...