Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I return the number of times a specified value appears in a field?

andrew_f_trobec
Explorer
‎11-09-2016 07:01 AM

Hello,

I have a simple issue that I can't resolve, and was hoping for support. I have the following data:

OBJECT ID,NEW STATE
1,STATE ONE
1,STATE TWO
1,STATE THREE
2,STATE ONE
2,STATE TWO
2,STATE ONE

My objective is to return the amount of times that "STATE ONE" appears. I have the following code:

index = "SAMPLE INDEX" | stats count(eval("NEW STATE" = "STATE ONE")) as "COUNT"

I was hoping that this would return "COUNT" = 3, but it keeps returning 0.

What am I missing?

Any help would be greatly appreciated. Thank you!

Andrew

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎11-09-2016 07:54 AM

Try like this

index = "SAMPLE INDEX" "NEW STATE"="STATE ONE" | stats count as "COUNT"

OR (field name with spaces should be enclosed in single quotes)

index = "SAMPLE INDEX" | stats count(eval('NEW STATE' = "STATE ONE")) as "COUNT"

View solution in original post

Reply
Solved! Jump to solution

gokadroid
Motivator
‎11-09-2016 07:57 AM

I hope its not doing a string compare and then returning false of comparing the "NEW STATE" as a string rather than "NEW STATE" as a field with "STATE ONE". Try to extract the fieldname as single worded text like and see if it resolves:

yourQuery to return data
| rex "^(?<objectId>[^,]+),(?<newState>).*)$"
| stats count(eval(newState="STATE ONE")) as COUNT
0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎11-09-2016 07:54 AM

Try like this

index = "SAMPLE INDEX" "NEW STATE"="STATE ONE" | stats count as "COUNT"

OR (field name with spaces should be enclosed in single quotes)

index = "SAMPLE INDEX" | stats count(eval('NEW STATE' = "STATE ONE")) as "COUNT"
Reply
Solved! Jump to solution

andrew_f_trobec
Explorer
‎11-11-2016 01:56 AM

Stupid double quotes! Thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...