Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I return the number of times a specified value appears in a field?

andrew_f_trobec
Explorer
‎11-09-2016 07:01 AM

Hello,

I have a simple issue that I can't resolve, and was hoping for support. I have the following data:

OBJECT ID,NEW STATE
1,STATE ONE
1,STATE TWO
1,STATE THREE
2,STATE ONE
2,STATE TWO
2,STATE ONE

My objective is to return the amount of times that "STATE ONE" appears. I have the following code:

index = "SAMPLE INDEX" | stats count(eval("NEW STATE" = "STATE ONE")) as "COUNT"

I was hoping that this would return "COUNT" = 3, but it keeps returning 0.

What am I missing?

Any help would be greatly appreciated. Thank you!

Andrew

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎11-09-2016 07:54 AM

Try like this

index = "SAMPLE INDEX" "NEW STATE"="STATE ONE" | stats count as "COUNT"

OR (field name with spaces should be enclosed in single quotes)

index = "SAMPLE INDEX" | stats count(eval('NEW STATE' = "STATE ONE")) as "COUNT"

View solution in original post

Reply
Solved! Jump to solution

gokadroid
Motivator
‎11-09-2016 07:57 AM

I hope its not doing a string compare and then returning false of comparing the "NEW STATE" as a string rather than "NEW STATE" as a field with "STATE ONE". Try to extract the fieldname as single worded text like and see if it resolves:

yourQuery to return data
| rex "^(?<objectId>[^,]+),(?<newState>).*)$"
| stats count(eval(newState="STATE ONE")) as COUNT
0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎11-09-2016 07:54 AM

Try like this

index = "SAMPLE INDEX" "NEW STATE"="STATE ONE" | stats count as "COUNT"

OR (field name with spaces should be enclosed in single quotes)

index = "SAMPLE INDEX" | stats count(eval('NEW STATE' = "STATE ONE")) as "COUNT"
Reply
Solved! Jump to solution

andrew_f_trobec
Explorer
‎11-11-2016 01:56 AM

Stupid double quotes! Thank you!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...