Splunk Search
Highlighted

How can I count both events that are tagged and those that aren't?

Path Finder

I currently use the following to count the number of names that are tagged as cool:

... tag::cool | stats dc("Name")

This gives me a count of cool kids. I would like to compare the number of kids that are "cool" with those that are not cool. Any ideas how I can get those two numbers?

Tags (3)
0 Karma
Highlighted

Re: How can I count both events that are tagged and those that aren't?

SplunkTrust
SplunkTrust

Hi Phil219,

you can do something like this:

  tag::cool OR tag::uncool | stats count(eval(tag="cool")) AS cool count(eval(tag="uncool")) AS uncool count AS total

to get a count of cool things, uncool things and a total count of both events.

Update
Just in case there is no tag::uncool you can use this search:

 tag::* OR NOT tag::* | stats count(eval(tag="cool")) AS cool sum(eval(if(isnull(tag), 1, 0))) AS uncool count AS total

Hope this helps ...

cheers, MuS

View solution in original post

Highlighted

Re: How can I count both events that are tagged and those that aren't?

SplunkTrust
SplunkTrust

hmm, maybe I did misunderstood your question.... do you have a tag::uncool or only a tag for tag::cool?

Highlighted

Re: How can I count both events that are tagged and those that aren't?

SplunkTrust
SplunkTrust

updated the answer ...

0 Karma
Highlighted

Re: How can I count both events that are tagged and those that aren't?

Path Finder

Nice! Thank you MuS! I have not "uncool" tag... I will give this a shot...

0 Karma
Highlighted

Re: How can I count both events that are tagged and those that aren't?

Path Finder

Works! Thank you!

0 Karma