Solved: Eval with stats on multiple fields

rangarbus · ‎01-10-2022

I am looking for help on stats with eval

Input Events (each json is a event):

{ "app_name": "app1","logEvent": "Received"}
{ "app_name": "app1","logEvent": "Received"}
{ "app_name": "app1","logEvent": "Missing"}
{ "app_name": "app1","logEvent": "Delivered"}
{ "app_name": "app2","logEvent": "Received"}
{ "app_name": "app2","logEvent": "Delivered"}

My current query is :

index=np-dockerlogs sourcetype=sales
| rename log_processed.* as *
| eval logEvent =upper(logEvent) 
| search logEvent IN ("RECEIVED", "DELIVERED", "MISSING")
| stats count by logEvent app_name

Current Output:

app1	RECEIVED	2
app1	MISSING	1
app1	DELIVERED	1
app2	RECEIVED	1
app2	DELIVERED	1

Output i want to generate is to remove MISSING and subtract the count of Missing from Received.

Received = Total Count of Received - Total Count of Missing
Delivered = Total Count of Delivered

app1	RECEIVED	1
app1	DELIVERED	1
app2	RECEIVED	1
app2	DELIVERED	1

Thank you

ITWhisperer · ‎01-10-2022

index=np-dockerlogs sourcetype=sales
| rename log_processed.* as *
| eval logEvent =upper(logEvent) 
| search logEvent IN ("RECEIVED", "DELIVERED", "MISSING")
| chart count by app_name logEvent
| eval RECEIVED=RECEIVED-MISSING
| table app_name RECEIVED DELIVERED
| untable app_name logEvent count

View solution in original post

ITWhisperer · ‎01-10-2022

index=np-dockerlogs sourcetype=sales
| rename log_processed.* as *
| eval logEvent =upper(logEvent) 
| search logEvent IN ("RECEIVED", "DELIVERED", "MISSING")
| chart count by app_name logEvent
| eval RECEIVED=RECEIVED-MISSING
| table app_name RECEIVED DELIVERED
| untable app_name logEvent count

rangarbus · ‎01-10-2022

Thanks @ITWhisperer

I am able to see the data on table format for all app_names and logEvents.

But I couldn't get the "count" on the Single value dashboard based on "app_name" and "logEvent" filter condition.

index=np-dockerlogs sourcetype=sales
| rename log_processed.* as *
| eval logEvent =upper(logEvent) 
| search logEvent IN ("RECEIVED", "DELIVERED", "MISSING")
| chart count by app_name logEvent
| eval RECEIVED=RECEIVED-MISSING
| table app_name RECEIVED DELIVERED
| untable app_name logEvent count
| search app_name=app1 AND logEvent="RECEIVED" 
| stats sum(count) as "RECEIVED"

rangarbus · ‎01-10-2022

It worked actually. My input had issues which caused the SingleValue to be empty.

Eval with stats on multiple fields

eval

fields

stats

Can’t make it to .conf25? Join us online!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

What Is Splunk? Here’s What You Can Do with Splunk

Level Up Your .conf25: Splunk Arcade Comes to Boston

Are you a member of the Splunk Community?