Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Count of zero and non zero values in a table?

mihikaraj
New Member
‎11-20-2018 07:36 PM

I have a search which generates a table as below. The column value is epoch time.

IP 1542682800 1542684600 1542686400 1542688200 1542690000 1542691800 1542693600
10.7.13.1 0 0 0 59 84 51 0
10.7.13.2 0 61 140 103 136 102 0
10.7.14.3 0 0 0 0 0 0 0
10.7.15.4 0 0 22 6 3 0 0
10.7.15.5 60 12 138 84 15 0 0
10.7.34.6 0 0 0 0 0 0 0
10.7.34.7 0 0 0 0 0 0 0

Search is like this :
base search |
| bucket span=30m _time
| chart count(people) by IP _time limit=500 | sort _time

I am trying to add two columns which would have the count of zero and non-zero values for a particular IP. Any help with this is appreciated.

So for the 1st row above will have zero count 4 and non zero count 3 and so on for each row.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎11-21-2018 08:22 AM

Like this:

base search
| bucket span=30m _time 
| chart count(people) by IP _time limit=500
| sort _time
| eval zeroCount=0. count=0
| foreach 15* [ eval count = count + 1, zeroCount = zeroCount + if(($<<FIELD>>$ == 0, 1, 0) ]

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎11-21-2018 08:22 AM

Like this:

base search
| bucket span=30m _time 
| chart count(people) by IP _time limit=500
| sort _time
| eval zeroCount=0. count=0
| foreach 15* [ eval count = count + 1, zeroCount = zeroCount + if(($<<FIELD>>$ == 0, 1, 0) ]
0 Karma
Reply
Solved! Jump to solution

mihikaraj
New Member
‎11-21-2018 02:30 PM

Thanks @woodcock. Gives me what I was expecting with a little tweak in the syntax.

0 Karma
Reply
Solved! Jump to solution

mihikaraj
New Member
‎11-22-2018 04:58 PM

@woodcock, Is there a way to have a new row at the bottom which is average of that column values? I tried using foreach but not able to.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎11-22-2018 08:31 PM

Add this:

| appendpipe [ stats avg(zeroCount) AS zeroCount ]
0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...