Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Count Single Occurrence Based On Value

fward92
Engager
‎10-08-2020 08:14 AM

Hello, 

Need some help with the below. We have multiple entries for a single IP that has multiple results as the Status Field - I want to know 'How many Hosts Passed, How many Failed and how any were Not Attempted'

IPStatus
10.50.50.50Passed
10.50.50.50

Failed

10.50.50.50Not Attempted
10.60.60.60Passed
10.60.60.60Failed
10.70.70.70Passed

 

If I simply do Stats count by Status, i get the below:

Passed: 3
Failed: 2
Not Attempted: 1

But i know there are only 3 IP's so i need a way to know if a host Passed once - Mark it as Passed only

  • Count if an IP has a Status of Passed, mark it as 'Passed' 
  • If an IP has a status of Failed and Failed only, then count it as failed
  • If an IP has a status of Not Attempted and Not Attempted only then mark it as Not Attempted   

So the output should be the same as the below (Because once an IP has a 'Passed', it shouldn't count towards the other values):
Passed: 3
Failed: 0
Not Attempted: 0

Hope the above makes sense and appreciate the help!

Labels (3)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-08-2020 08:21 AM

Hi @fward92,

if it's acceptable for you to take the last value for each IP, try something like this:

your_search
| stats last(Status) AS Status BY IP
| stats count BY Status

Ciao.

Giuseppe

 

Reply

fward92
Engager
‎10-08-2020 08:30 AM

Unfortunately, the values in the Status field appear in different orders - Is there a way to do multiple eval commands that take both a 'contains failed' AND Does not contain 'Passed' AS Count_Failed

Something like that might work

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-08-2020 11:33 PM

Hi @fward92,

I haven't your data so I cannot test your conditions, but anyway, you can apply the approch of this sample:

index=_internal
| stats values(source) AS source dc(source) AS dc_source BY user
| eval status=if(dc_source=1 OR match(source,"scripted"),"OK","NOK")

In few words:

  • if you have only one value you take it,
  • if you have more values you takes the ones that match a word,
  • then you can exclude the "NOK".

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...