Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Count Single Occurrence Based On Value

fward92
Engager
‎10-08-2020 08:14 AM

Hello, 

Need some help with the below. We have multiple entries for a single IP that has multiple results as the Status Field - I want to know 'How many Hosts Passed, How many Failed and how any were Not Attempted'

IPStatus
10.50.50.50Passed
10.50.50.50

Failed

10.50.50.50Not Attempted
10.60.60.60Passed
10.60.60.60Failed
10.70.70.70Passed

 

If I simply do Stats count by Status, i get the below:

Passed: 3
Failed: 2
Not Attempted: 1

But i know there are only 3 IP's so i need a way to know if a host Passed once - Mark it as Passed only

  • Count if an IP has a Status of Passed, mark it as 'Passed' 
  • If an IP has a status of Failed and Failed only, then count it as failed
  • If an IP has a status of Not Attempted and Not Attempted only then mark it as Not Attempted   

So the output should be the same as the below (Because once an IP has a 'Passed', it shouldn't count towards the other values):
Passed: 3
Failed: 0
Not Attempted: 0

Hope the above makes sense and appreciate the help!

Labels (3)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-08-2020 08:21 AM

Hi @fward92,

if it's acceptable for you to take the last value for each IP, try something like this:

your_search
| stats last(Status) AS Status BY IP
| stats count BY Status

Ciao.

Giuseppe

 

Reply

fward92
Engager
‎10-08-2020 08:30 AM

Unfortunately, the values in the Status field appear in different orders - Is there a way to do multiple eval commands that take both a 'contains failed' AND Does not contain 'Passed' AS Count_Failed

Something like that might work

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-08-2020 11:33 PM

Hi @fward92,

I haven't your data so I cannot test your conditions, but anyway, you can apply the approch of this sample:

index=_internal
| stats values(source) AS source dc(source) AS dc_source BY user
| eval status=if(dc_source=1 OR match(source,"scripted"),"OK","NOK")

In few words:

  • if you have only one value you take it,
  • if you have more values you takes the ones that match a word,
  • then you can exclude the "NOK".

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...

Enterprise Security Content Update (ESCU) | New Releases

In April, the Splunk Threat Research Team had 2 releases of new security content via the Enterprise Security ...
Top