Solved: Re: How can I count both events that are tagged an...

Phil219 · ‎01-21-2016

I currently use the following to count the number of names that are tagged as cool:

... tag::cool | stats dc("Name")

This gives me a count of cool kids. I would like to compare the number of kids that are "cool" with those that are not cool. Any ideas how I can get those two numbers?

MuS · ‎01-21-2016

Hi Phil219,

you can do something like this:

  tag::cool OR tag::uncool | stats count(eval(tag="cool")) AS cool count(eval(tag="uncool")) AS uncool count AS total

to get a count of cool things, uncool things and a total count of both events.

Update
Just in case there is no tag::uncool you can use this search:

 tag::* OR NOT tag::* | stats count(eval(tag="cool")) AS cool sum(eval(if(isnull(tag), 1, 0))) AS uncool count AS total

Hope this helps ...

cheers, MuS

View solution in original post

MuS · ‎01-21-2016

Hi Phil219,

you can do something like this:

  tag::cool OR tag::uncool | stats count(eval(tag="cool")) AS cool count(eval(tag="uncool")) AS uncool count AS total

to get a count of cool things, uncool things and a total count of both events.

Update
Just in case there is no tag::uncool you can use this search:

 tag::* OR NOT tag::* | stats count(eval(tag="cool")) AS cool sum(eval(if(isnull(tag), 1, 0))) AS uncool count AS total

Hope this helps ...

cheers, MuS

Phil219 · ‎01-23-2016

Works! Thank you!

Phil219 · ‎01-21-2016

Nice! Thank you MuS! I have not "uncool" tag... I will give this a shot...

MuS · ‎01-21-2016

hmm, maybe I did misunderstood your question.... do you have a tag::uncool or only a tag for tag::cool?

MuS · ‎01-21-2016

updated the answer ...

How can I count both events that are tagged and those that aren't?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!