Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Can I combine eval & latest?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have scenario were i have the record sets and the number & name will keep changing based on the status
Table : No, Name,Status,Product,ID
Status can be (P-pending,C-cancelled, A-Accepted)
So, if i have to eliminate the duplicate should i use like this
-->index="XXXXX" PRODUCT=O1| dedup PCN |stats count(eval(STATUS="A")) AS APPROVED
or should I use latest ?
Thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Specifically, what do you want to count up?
If the status is only the number of A, you can do it.
index="XXXXX" PRODUCT=O1 STATUS="A"| dedup PCN |stats count AS APPROVED
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you @niketnaily @HiroshiSatoh @mayurr98
Status: A -Approved,C-Cancelled & P- Pending
Please find the mock table below and my requirement is to get the count of Approved records and the below will work
index="XXXXX" PRODUCT=O1 STATUS="A"|stats dc(PCN) AS APPROVED
or
index="XXXXX" PRODUCT=O1| dedup PCN |stats count(eval(STATUS="A")) AS APPROVED
However, if i use dedup on P to find the pending status, that can be wrong as the pending records will be moved to cancelled or approved or declined. So, i was wondering whether i can use latest based on the ID and the count the status .
PCN NameProduct ID Status
123 Varun 01 A
121 Arun 01 C
123 Varun 01 P
121 Arun 01 P
124 Don 01 D
124 Don 01 P
Hope i am not confusing.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
do you want something like distinct count of PCN where Status=A?
Also, can you tell me what is PCN?
You can try something like this
index="XXXXX" PRODUCT=O1 STATUS="A"|stats dc(PCN) AS APPROVED
let me know if this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@varunapj, I think what would help is, if you can post data sample of what you have and what is the output you want. You can mock/anonymize any sensitive information.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Specifically, what do you want to count up?
If the status is only the number of A, you can do it.
index="XXXXX" PRODUCT=O1 STATUS="A"| dedup PCN |stats count AS APPROVED
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
New Release | Splunk Cloud Platform 10.1.2507
🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2
