Splunk Search

How can I count both events that are tagged and those that aren't?

Phil219
Path Finder

I currently use the following to count the number of names that are tagged as cool:

... tag::cool | stats dc("Name")

This gives me a count of cool kids. I would like to compare the number of kids that are "cool" with those that are not cool. Any ideas how I can get those two numbers?

Tags (3)
0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi Phil219,

you can do something like this:

  tag::cool OR tag::uncool | stats count(eval(tag="cool")) AS cool count(eval(tag="uncool")) AS uncool count AS total

to get a count of cool things, uncool things and a total count of both events.

Update
Just in case there is no tag::uncool you can use this search:

 tag::* OR NOT tag::* | stats count(eval(tag="cool")) AS cool sum(eval(if(isnull(tag), 1, 0))) AS uncool count AS total

Hope this helps ...

cheers, MuS

View solution in original post

MuS
SplunkTrust
SplunkTrust

Hi Phil219,

you can do something like this:

  tag::cool OR tag::uncool | stats count(eval(tag="cool")) AS cool count(eval(tag="uncool")) AS uncool count AS total

to get a count of cool things, uncool things and a total count of both events.

Update
Just in case there is no tag::uncool you can use this search:

 tag::* OR NOT tag::* | stats count(eval(tag="cool")) AS cool sum(eval(if(isnull(tag), 1, 0))) AS uncool count AS total

Hope this helps ...

cheers, MuS

Phil219
Path Finder

Works! Thank you!

0 Karma

Phil219
Path Finder

Nice! Thank you MuS! I have not "uncool" tag... I will give this a shot...

0 Karma

MuS
SplunkTrust
SplunkTrust

hmm, maybe I did misunderstood your question.... do you have a tag::uncool or only a tag for tag::cool?

MuS
SplunkTrust
SplunkTrust

updated the answer ...

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...