Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Compare one field against itself (Chart)

JoshuaJohn
Contributor
‎05-19-2017 10:06 AM

I have a chart that gives me serial numbers, some of the spots for serial numbers are empty. I want to compare how many are empty vs the total number of serials I have (That are not empty).

So basically a bar graph with 1 bar being total number of serials
The other bar being number of empty serials

|inputlookup Serial_Report.csv |stats count by serial_number|stats sum(serial_number) AS totalSerial | fillnull value="XXX" serial_number | search serial_number="XXX" | stats count by serial_number|stats sum(serial_number) AS totalEmptySerial |fields totalEmptySerial, totalSerial

Any Ideas?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-19-2017 11:40 AM

Give this a try

|inputlookup Serial_Report.csv |stats count by serial_number | eval is_empty=if(serial_number="" OR len(trim(serial_number))=0,1,0)
| stats sum(is_empty) as totalEmptySerial count as totalSerial

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-19-2017 11:40 AM

Give this a try

|inputlookup Serial_Report.csv |stats count by serial_number | eval is_empty=if(serial_number="" OR len(trim(serial_number))=0,1,0)
| stats sum(is_empty) as totalEmptySerial count as totalSerial
0 Karma
Reply
Solved! Jump to solution

JoshuaJohn
Contributor
‎05-19-2017 11:47 AM

https://pasteboard.co/8fKoBncto.png
Not exactly, it doesn't appear to recognize the empty fields

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎05-19-2017 11:50 AM

How about this

|inputlookup Serial_Report.csv | eval serial_number=if(isnull(serial_number) OR serial_number="" OR len(trim(serial_number))=0,"XXX",serial_number) |stats count by serial_number | eval is_empty=if(serial_number="XXX",1,0)
 | stats sum(is_empty) as totalEmptySerial count as totalSerial
0 Karma
Reply
Solved! Jump to solution

JoshuaJohn
Contributor
‎05-19-2017 11:52 AM

Now I am getting 1 count result for empty, should be around 300.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎05-19-2017 12:54 PM

Pheww. Try this

 |inputlookup Serial_Report.csv | eval serial_number=if(isnull(serial_number) OR serial_number="" OR len(trim(serial_number))=0,"XXX",serial_number) |stats count by serial_number | eval is_empty=if(serial_number="XXX",count,0)
  | stats sum(is_empty) as totalEmptySerial sum(count) as totalSerial
0 Karma
Reply
Solved! Jump to solution

JoshuaJohn
Contributor
‎05-19-2017 01:17 PM

Ah so close, I still need two bars though. I am not sure if it is possible

Basically one would say 300, the other would be 20,000

This is what your search has created so far
https://pasteboard.co/8hgrpV061.png

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎05-19-2017 01:21 PM

Let this be the final attempt. Try this

|inputlookup Serial_Report.csv | eval serial_number=if(isnull(serial_number) OR serial_number="" OR len(trim(serial_number))=0,"XXX",serial_number) |stats count by serial_number | eval Metrics=if(serial_number="XXX",split("totalEmptySerial,totalSerial",","),"totalSerial")
   | stats sum(count) as count by Metrics
0 Karma
Reply
Solved! Jump to solution

JoshuaJohn
Contributor
‎05-22-2017 06:35 AM

Thank you!! Perfect.

0 Karma
Reply
Get Updates on the Splunk Community!

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...