Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I get a count of entries where one value is 0 or greater than 0?

BearMormont
Path Finder
‎02-15-2018 04:51 PM

I have a Splunk Query that is returning data, similar to:

ComputerName    NumVulns
Computer1             10
Computer2              0
Computer3             27
Computer4              0
Computer5            100

And I would like to convert that output to a count of machines where NumVulns is 0 or NumVulns is greater than 0. Something like:

ComputerWithVulns - 3
ComputerWithoutVulns - 2

Ultimately I want to put this into a pie chart, but I am new to Splunk and not sure how to proceed. I've read up on eval and count but so far none of my attempts have been successful.

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

BearMormont
Path Finder
‎02-15-2018 05:53 PM

Figured it out myself:

|stats count(eval(NumVulns==0)) AS ComputerWithVulns count(eval(NumVulns>0)) AS ComputerWithoutVulns | transpose

Thanks!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

BearMormont
Path Finder
‎02-15-2018 05:53 PM

Figured it out myself:

|stats count(eval(NumVulns==0)) AS ComputerWithVulns count(eval(NumVulns>0)) AS ComputerWithoutVulns | transpose

Thanks!

0 Karma
Reply
Solved! Jump to solution

BearMormont
Path Finder
‎02-15-2018 05:12 PM

Figured it out myself.

|stats count(eval(NumVulns==0)) AS ComputerWithVulns count(eval(NumVulns>0)) AS ComputerWithoutVulns | transpose

Thanks!

0 Karma
Reply
Solved! Jump to solution

micahkemp
Champion
‎02-15-2018 05:17 PM

Great! You may consider converting this comment to an answer and accepting it so that others may find the answer more easily.

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...