Solved: Re: How to calculate distinct count with condition...

LearningGuy · ‎11-01-2023

Hello,

How to calculate distinct count with condition?

How to calculate unique vuln that has score >0, group by ip?

Before calculation

ip	vuln	score
1.1.1.1	vuln1	0
1.1.1.1	vuln1	0
1.1.1.1	vuln2	3
1.1.1.1	vuln2	3
1.1.1.1	vuln2	3
1.1.1.1	vuln3	7
1.1.1.1	vuln3	7
2.2.2.2	vuln1	0
2.2.2.2	vuln4	0
2.2.2.2	vuln5	5
2.2.2.2	vuln5	5

After calculation

ip	dc(vuln)	dc(vuln) score > 0
1.1.1.1	3	2
2.2.2.2	3	1

Thank you so much

ITWhisperer · ‎11-01-2023

| stats dc(eval(if(score > 0,vuln,null()))) as dc_gt_0 dc(vuln) as dc_all by ip

View solution in original post

LearningGuy · ‎11-01-2023

Wow, it worked.. I will accept this as solution. Thank you so much
What did the "eval if" part do?
if score > 0, then include the vuln, if not assign null function, which means DC will ignore it?

eval(if(score > 0,vuln,null()))

ITWhisperer · ‎11-01-2023

Correct, null values (as returned by the null() function) are ignored by the dc() function

LearningGuy · ‎11-01-2023

Hello @ITWhisperer
How do I calculate sum of unique vuln that has score >0?
in my mind, it's like this: sum (dc(vuln) score > 0) but when i tried it, it didn't work

ip	dc(vuln)	dc(vuln) score > 0	sum (dc(vuln) score > 0)
1.1.1.1	3	2	10
2.2.2.2	3	1	5

Thank you so much

ITWhisperer · ‎11-02-2023

| stats values(score) as score by ip vuln
| stats dc(eval(if(score > 0,vuln,null()))) as dc_gt_0 dc(vuln) as dc_all sum(score) as total_score by ip

ITWhisperer · ‎11-01-2023

| stats dc(eval(if(score > 0,vuln,null()))) as dc_gt_0 dc(vuln) as dc_all by ip

How to calculate distinct count with condition?

stats

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies