Solved: Confusion with count

palisetty · ‎12-23-2019

I have a source with 100,000 events. For an Interesting field "action" where it has value as "purchase" with a count of 21,000. I want to make use of stats command with count function to see the count of events in my event list.
I tried this but it is not accepting.

index="main"
| stats count(action) =" purchase" as "Total count of Purchase occurences"

What is the correct syntax, please?

kamlesh_vaghela · ‎12-23-2019

@palisetty

Try this.

index="main" | stats count(eval(action="purchase")) as "Total count of Purchase occurences"

View solution in original post

kamlesh_vaghela · ‎12-23-2019

@palisetty

Try this.

index="main" | stats count(eval(action="purchase")) as "Total count of Purchase occurences"

palisetty · ‎12-23-2019

Thank You. It worked

Confusion with count

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

How Edge Processor's Durable Queue Works

Announcing Modern Navigation: A New Era of Splunk User Experience

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Join the Conversation