Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Compare one field against itself (Chart)
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
JoshuaJohn
Contributor
05-19-2017
10:06 AM
I have a chart that gives me serial numbers, some of the spots for serial numbers are empty. I want to compare how many are empty vs the total number of serials I have (That are not empty).
So basically a bar graph with 1 bar being total number of serials
The other bar being number of empty serials
|inputlookup Serial_Report.csv |stats count by serial_number|stats sum(serial_number) AS totalSerial | fillnull value="XXX" serial_number | search serial_number="XXX" | stats count by serial_number|stats sum(serial_number) AS totalEmptySerial |fields totalEmptySerial, totalSerial
Any Ideas?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
05-19-2017
11:40 AM
Give this a try
|inputlookup Serial_Report.csv |stats count by serial_number | eval is_empty=if(serial_number="" OR len(trim(serial_number))=0,1,0)
| stats sum(is_empty) as totalEmptySerial count as totalSerial
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
05-19-2017
11:40 AM
Give this a try
|inputlookup Serial_Report.csv |stats count by serial_number | eval is_empty=if(serial_number="" OR len(trim(serial_number))=0,1,0)
| stats sum(is_empty) as totalEmptySerial count as totalSerial
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
JoshuaJohn
Contributor
05-19-2017
11:47 AM
https://pasteboard.co/8fKoBncto.png
Not exactly, it doesn't appear to recognize the empty fields
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
05-19-2017
11:50 AM
How about this
|inputlookup Serial_Report.csv | eval serial_number=if(isnull(serial_number) OR serial_number="" OR len(trim(serial_number))=0,"XXX",serial_number) |stats count by serial_number | eval is_empty=if(serial_number="XXX",1,0)
| stats sum(is_empty) as totalEmptySerial count as totalSerial
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
JoshuaJohn
Contributor
05-19-2017
11:52 AM
Now I am getting 1 count result for empty, should be around 300.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
05-19-2017
12:54 PM
Pheww. Try this
|inputlookup Serial_Report.csv | eval serial_number=if(isnull(serial_number) OR serial_number="" OR len(trim(serial_number))=0,"XXX",serial_number) |stats count by serial_number | eval is_empty=if(serial_number="XXX",count,0)
| stats sum(is_empty) as totalEmptySerial sum(count) as totalSerial
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
JoshuaJohn
Contributor
05-19-2017
01:17 PM
Ah so close, I still need two bars though. I am not sure if it is possible
Basically one would say 300, the other would be 20,000
This is what your search has created so far
https://pasteboard.co/8hgrpV061.png
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
05-19-2017
01:21 PM
Let this be the final attempt. Try this
|inputlookup Serial_Report.csv | eval serial_number=if(isnull(serial_number) OR serial_number="" OR len(trim(serial_number))=0,"XXX",serial_number) |stats count by serial_number | eval Metrics=if(serial_number="XXX",split("totalEmptySerial,totalSerial",","),"totalSerial")
| stats sum(count) as count by Metrics
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
JoshuaJohn
Contributor
05-22-2017
06:35 AM
Thank you!! Perfect.
Get Updates on the Splunk Community!
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...
Shape the Future of Splunk: Join the Product Research Lab!
Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...
Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal
You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...
