Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I get a correct count using AND/OR statement

jbat
Engager
‎10-24-2012 01:34 PM

The following produces a count of 0 for "Other": 

|stats count AS Contacts,  
   count(eval((in_value=1 AND duration!="")  
    OR (in_value=2 AND duration!="")  
         OR (out_value=1 AND duration!="")  
         OR (out_value=2 AND duration!=""))) AS Successful,  
   count(eval((in_value=1 AND duration="")  
         OR (in_value=2 AND duration="")  
         OR (out_value=1 AND duration="")  
         OR (out_value=2 AND duration=""))) AS Unsuccessful,  
   count(eval(in_value!=1 AND in_value!=2 AND out_value!=1 AND out_value!=2)) AS Other  
   BY groupCode  
|fields groupCode, Contacts, Successful, Unsuccessful, Other  
|addcoltotals Contacts, Successful, Unsuccessful, Other

If I change "Other" to the following, the count can and does include some Successfuls:

count(eval((in_value!=1 AND in_value!=2) OR (out_value!=1 AND out_value!=2))) AS Other

If I change all the ANDs to ORs, I get the same count as Successfuls.

Tags (1)
0 Karma
Reply

lguinn2
Legend
‎10-24-2012 04:40 PM

This may not be an answer, but I think it may be easier to understand...

yoursearchhere
| eval success = if( duration!="" AND (in_value==1 OR in_value==2 OR out_value==1 OR out_value==2),1,0)
| eval fail = if(duration="" AND (in_value==1 OR in_value==2 OR out_value=1 OR out_value==2),1,0)
| eval other = if(in_value!=1 AND in_value!=2 AND out_value!=1 AND out_value!=2,1,0)
| stats count as Contacts, sum(success) as Successful, sum(fail) as Unsuccessful, sum(other) as Other 
     by  groupCode  
| fields groupCode, Contacts, Successful, Unsuccessful, Other  
| addcoltotals Contacts, Successful, Unsuccessful, Other

As a diagnostic, just do this:

yoursearchhere
| eval success = if( duration!="" AND (in_value==1 OR in_value==2 OR out_value==1 OR out_value==2),1,0)
| eval fail = if(duration="" AND (in_value==1 OR in_value==2 OR out_value=1 OR out_value==2),1,0)
| eval other = if(in_value!=1 AND in_value!=2 AND out_value!=1 AND out_value!=2,1,0)
| table success fail other duration in_value out_value

and you can probably see what's going wrong. Particularly consider what should happen if any of the fields do not exist...

Reply

jbat
Engager
‎10-25-2012 08:59 AM

This helped - I needed to account for fields not existing. Thanks!

0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎10-24-2012 03:27 PM

Help us understand the relationship (if any) between in_value and out_value.

The fact that you get 0 for Other suggests that the statement with all ANDs cannot be logically true, that is, an event cannot simultaneously have those two fields !=1 AND !=2. Are 1 and 2 the only possible values? Are the values of in_value and out_value linked?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...