Solved: Eval with stats on multiple fields

rangarbus · ‎01-10-2022

I am looking for help on stats with eval

Input Events (each json is a event):

{ "app_name": "app1","logEvent": "Received"}
{ "app_name": "app1","logEvent": "Received"}
{ "app_name": "app1","logEvent": "Missing"}
{ "app_name": "app1","logEvent": "Delivered"}
{ "app_name": "app2","logEvent": "Received"}
{ "app_name": "app2","logEvent": "Delivered"}

My current query is :

index=np-dockerlogs sourcetype=sales
| rename log_processed.* as *
| eval logEvent =upper(logEvent) 
| search logEvent IN ("RECEIVED", "DELIVERED", "MISSING")
| stats count by logEvent app_name

Current Output:

app1	RECEIVED	2
app1	MISSING	1
app1	DELIVERED	1
app2	RECEIVED	1
app2	DELIVERED	1

Output i want to generate is to remove MISSING and subtract the count of Missing from Received.

Received = Total Count of Received - Total Count of Missing
Delivered = Total Count of Delivered

app1	RECEIVED	1
app1	DELIVERED	1
app2	RECEIVED	1
app2	DELIVERED	1

Thank you

ITWhisperer · ‎01-10-2022

index=np-dockerlogs sourcetype=sales
| rename log_processed.* as *
| eval logEvent =upper(logEvent) 
| search logEvent IN ("RECEIVED", "DELIVERED", "MISSING")
| chart count by app_name logEvent
| eval RECEIVED=RECEIVED-MISSING
| table app_name RECEIVED DELIVERED
| untable app_name logEvent count

View solution in original post

ITWhisperer · ‎01-10-2022

index=np-dockerlogs sourcetype=sales
| rename log_processed.* as *
| eval logEvent =upper(logEvent) 
| search logEvent IN ("RECEIVED", "DELIVERED", "MISSING")
| chart count by app_name logEvent
| eval RECEIVED=RECEIVED-MISSING
| table app_name RECEIVED DELIVERED
| untable app_name logEvent count

rangarbus · ‎01-10-2022

Thanks @ITWhisperer

I am able to see the data on table format for all app_names and logEvents.

But I couldn't get the "count" on the Single value dashboard based on "app_name" and "logEvent" filter condition.

index=np-dockerlogs sourcetype=sales
| rename log_processed.* as *
| eval logEvent =upper(logEvent) 
| search logEvent IN ("RECEIVED", "DELIVERED", "MISSING")
| chart count by app_name logEvent
| eval RECEIVED=RECEIVED-MISSING
| table app_name RECEIVED DELIVERED
| untable app_name logEvent count
| search app_name=app1 AND logEvent="RECEIVED" 
| stats sum(count) as "RECEIVED"

rangarbus · ‎01-10-2022

It worked actually. My input had issues which caused the SingleValue to be empty.

Eval with stats on multiple fields

eval

fields

stats

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Join the Conversation