Splunk Search

Eval fields to get count and then chart

tkwaller_2
Communicator

I know I'm doing wrong but I cant get it exactly right
Here's what I'm trying to do.

| eval status=if(QuestionAnswer == "Yes", "Compliant", "NonCompliant")
| stats count(status) as total,
count(eval(status="Compliant")) as compliant,
     count(eval(status="NonCompliant")) as noncompliant  
|eval risk= (compliant / total)*100
|chart values(risk) over LOB by QF

I some data that has answers in a field called QuestionAnswer which is "Compliant" or "NonCompliant". I want to total those as total. Then I can eval that to a risk and then chart that over a field called LOB by QF. But it seem this doesnt work and I know its me hahaha

Can someone tell em what I'm doing wrong?
Thanks!

0 Karma

DalJeanis
Legend

Your stats command was destroying the field QF. Any field not listed in a stats command is gone.

your base search
| eval Compliant= case(QuestionAnswer == "Yes", 1)
| eval NonCompliant= case(isnull(Compliant), 1)
| stats count(status) as total,
    count(Compliant) as compliant,
    count(NonCompliant) as noncompliant 
    by QF 
 | eval risk= round(100*compliant / total,0)
 | chart values(risk) over LOB by QF

Also, since you are not using Noncompliant in your chart, this simplifies to...

your base search
| eval Compliant= case(QuestionAnswer == "Yes", 1)
| stats count(status) as total,
    count(Compliant) as compliant,
    by QF 
 | eval risk= round(100*compliant / total,0)
 | chart values(risk) over LOB by QF
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...