Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Conditional count on two values in a single field

rmichel876
Engager
‎05-15-2013 09:29 AM

I'm attempting to do a conditional count directly in a stats function. I want a list by application / version that displays a count of errors and a count of exceptions. I believe I need a conditional count, however filtering my data in the search will not work for my data.

I have a field Severity which contains Errors,Info,Warnings. Severity=Error includes both Exceptions and stuff we classify as an Error. We have another field ExceptionType which if not null, we know that the Severity=Error is really an exception not just a normal error. I want to count the Errors that are not exceptions, and the Exceptions separately. 

search Severity="Error" | eval ErrorSeverity=if(isnotnull(ExceptionType),"Exception","Error") | stats count(ErrorSeverity=Exception) as Exception, count(ErrorSeverity=Error) as Error by Application, Version

The output should look something like this:
Application Version Exception Error
App1 2.2.23 5 3
App1 2.4.23 1 9
App2 1.39.33 29 0
App3 1.39.33 0 54

I should never see both the Error and Exception count = 0, everything should be one or the other since both are classified as Severity="Error"

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tiberious726
Path Finder
‎05-15-2013 10:42 AM

count() isn't smart enough to do conditional logic, so you need to put your try-hard hat on and do it upstream.

Severity="Error" | eval Exception=if(isnotnull(ExceptionType),"1",null()) | eval Error=if(isnull(ExceptionType),"1",null()) | stats count(Exception) as Exception, count(Error) as Error by Application, Version

View solution in original post

Reply
Solved! Jump to solution
Solution

tiberious726
Path Finder
‎05-15-2013 10:42 AM

count() isn't smart enough to do conditional logic, so you need to put your try-hard hat on and do it upstream.

Severity="Error" | eval Exception=if(isnotnull(ExceptionType),"1",null()) | eval Error=if(isnull(ExceptionType),"1",null()) | stats count(Exception) as Exception, count(Error) as Error by Application, Version

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...