Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Count To Boolean
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
I have a requirement wherein I count a specific log in the last minute. The count is supposed to be 1.
I need to convert this count to boolean to show in my visualization. Something like, if count = 1 then True else False.
I need only true or false as output of the query and not with count.
I'm basically trying to create a application status monitoring! Any pointers?
Regards,
Sharad R K
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could either change "count" directly with the eval:
| eval count = if(count=1, "true", "false")or you remove "count" after you evaled "countflag" (or any other fieldname of your choice)
| fields - count
Karma and/or Solution tagging appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sample:
| tstats count where index=_internal sourcetype=splunkd by PREFIX("group=")
| eval boolean=if(count>1000,1,0)
| rename COMMENT as "this is the logic"
| eval result=nullif(match(boolean,"1"),"true")- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @sharadrk ,
Is this what you are looking for?
| eval countflag = if(count=1, "true", "false")
("countflag" can be anything, you could eve overwrite the count field itself.)
It's not really boolean, just the strings "true" or "false". In the Documentation it says "The result of an eval expression cannot be a Boolean." But you should be able to work with that way.
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Eval
Karma and/or Solution tagging appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
But the thing is if I use this concept, I get output in a table with Count and then countflag.
That is not what I wanted. I just wanted True or False. How can I not show count and only show countflag?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could either change "count" directly with the eval:
| eval count = if(count=1, "true", "false")or you remove "count" after you evaled "countflag" (or any other fieldname of your choice)
| fields - count
Karma and/or Solution tagging appreciated.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
