Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Conditional count on two values in a single field

rmichel876
Engager
‎05-15-2013 09:29 AM

I'm attempting to do a conditional count directly in a stats function. I want a list by application / version that displays a count of errors and a count of exceptions. I believe I need a conditional count, however filtering my data in the search will not work for my data.

I have a field Severity which contains Errors,Info,Warnings. Severity=Error includes both Exceptions and stuff we classify as an Error. We have another field ExceptionType which if not null, we know that the Severity=Error is really an exception not just a normal error. I want to count the Errors that are not exceptions, and the Exceptions separately. 

search Severity="Error" | eval ErrorSeverity=if(isnotnull(ExceptionType),"Exception","Error") | stats count(ErrorSeverity=Exception) as Exception, count(ErrorSeverity=Error) as Error by Application, Version

The output should look something like this:
Application Version Exception Error
App1 2.2.23 5 3
App1 2.4.23 1 9
App2 1.39.33 29 0
App3 1.39.33 0 54

I should never see both the Error and Exception count = 0, everything should be one or the other since both are classified as Severity="Error"

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tiberious726
Path Finder
‎05-15-2013 10:42 AM

count() isn't smart enough to do conditional logic, so you need to put your try-hard hat on and do it upstream.

Severity="Error" | eval Exception=if(isnotnull(ExceptionType),"1",null()) | eval Error=if(isnull(ExceptionType),"1",null()) | stats count(Exception) as Exception, count(Error) as Error by Application, Version

View solution in original post

Reply
Solved! Jump to solution
Solution

tiberious726
Path Finder
‎05-15-2013 10:42 AM

count() isn't smart enough to do conditional logic, so you need to put your try-hard hat on and do it upstream.

Severity="Error" | eval Exception=if(isnotnull(ExceptionType),"1",null()) | eval Error=if(isnull(ExceptionType),"1",null()) | stats count(Exception) as Exception, count(Error) as Error by Application, Version

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...