Solved: Re: How to calculate distinct count with condition...

LearningGuy · ‎11-01-2023

Hello,

How to calculate distinct count with condition?

How to calculate unique vuln that has score >0, group by ip?

Before calculation

ip	vuln	score
1.1.1.1	vuln1	0
1.1.1.1	vuln1	0
1.1.1.1	vuln2	3
1.1.1.1	vuln2	3
1.1.1.1	vuln2	3
1.1.1.1	vuln3	7
1.1.1.1	vuln3	7
2.2.2.2	vuln1	0
2.2.2.2	vuln4	0
2.2.2.2	vuln5	5
2.2.2.2	vuln5	5

After calculation

ip	dc(vuln)	dc(vuln) score > 0
1.1.1.1	3	2
2.2.2.2	3	1

Thank you so much

ITWhisperer · ‎11-01-2023

| stats dc(eval(if(score > 0,vuln,null()))) as dc_gt_0 dc(vuln) as dc_all by ip

View solution in original post

LearningGuy · ‎11-01-2023

Wow, it worked.. I will accept this as solution. Thank you so much
What did the "eval if" part do?
if score > 0, then include the vuln, if not assign null function, which means DC will ignore it?

eval(if(score > 0,vuln,null()))

ITWhisperer · ‎11-01-2023

Correct, null values (as returned by the null() function) are ignored by the dc() function

LearningGuy · ‎11-01-2023

Hello @ITWhisperer
How do I calculate sum of unique vuln that has score >0?
in my mind, it's like this: sum (dc(vuln) score > 0) but when i tried it, it didn't work

ip	dc(vuln)	dc(vuln) score > 0	sum (dc(vuln) score > 0)
1.1.1.1	3	2	10
2.2.2.2	3	1	5

Thank you so much

ITWhisperer · ‎11-02-2023

| stats values(score) as score by ip vuln
| stats dc(eval(if(score > 0,vuln,null()))) as dc_gt_0 dc(vuln) as dc_all sum(score) as total_score by ip

ITWhisperer · ‎11-01-2023

| stats dc(eval(if(score > 0,vuln,null()))) as dc_gt_0 dc(vuln) as dc_all by ip

How to calculate distinct count with condition?

stats

Routing logs with Splunk OTel Collector for Kubernetes

New This Month - Observability Updates Give Extended Visibility and Improve User ...

Intro to Splunk Synthetic Monitoring