Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Count of zero and non zero values in a table?

mihikaraj
New Member
‎11-20-2018 07:36 PM

I have a search which generates a table as below. The column value is epoch time.

IP 1542682800 1542684600 1542686400 1542688200 1542690000 1542691800 1542693600
10.7.13.1 0 0 0 59 84 51 0
10.7.13.2 0 61 140 103 136 102 0
10.7.14.3 0 0 0 0 0 0 0
10.7.15.4 0 0 22 6 3 0 0
10.7.15.5 60 12 138 84 15 0 0
10.7.34.6 0 0 0 0 0 0 0
10.7.34.7 0 0 0 0 0 0 0

Search is like this :
base search |
| bucket span=30m _time
| chart count(people) by IP _time limit=500 | sort _time

I am trying to add two columns which would have the count of zero and non-zero values for a particular IP. Any help with this is appreciated.

So for the 1st row above will have zero count 4 and non zero count 3 and so on for each row.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎11-21-2018 08:22 AM

Like this:

base search
| bucket span=30m _time 
| chart count(people) by IP _time limit=500
| sort _time
| eval zeroCount=0. count=0
| foreach 15* [ eval count = count + 1, zeroCount = zeroCount + if(($<<FIELD>>$ == 0, 1, 0) ]

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎11-21-2018 08:22 AM

Like this:

base search
| bucket span=30m _time 
| chart count(people) by IP _time limit=500
| sort _time
| eval zeroCount=0. count=0
| foreach 15* [ eval count = count + 1, zeroCount = zeroCount + if(($<<FIELD>>$ == 0, 1, 0) ]
0 Karma
Reply
Solved! Jump to solution

mihikaraj
New Member
‎11-21-2018 02:30 PM

Thanks @woodcock. Gives me what I was expecting with a little tweak in the syntax.

0 Karma
Reply
Solved! Jump to solution

mihikaraj
New Member
‎11-22-2018 04:58 PM

@woodcock, Is there a way to have a new row at the bottom which is average of that column values? I tried using foreach but not able to.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎11-22-2018 08:31 PM

Add this:

| appendpipe [ stats avg(zeroCount) AS zeroCount ]
0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...