Solved: How to count total row number of non-zero field?

LearningGuy · ‎10-22-2023

How to count total row number of non-zero field?
Thank you in advance

Below is the data set:

ip	Vulnerability	Score
ip1	Vuln1	0
ip1	Vuln2	3
ip1	Vuln3	4
ip2	Vuln4	0
ip2	Vuln5	0
ip2	Vuln6	7

| stats count(Vulnerability) as Total_Vuln, countNonZero(Score) as Total_Non_Zero_Vuln by ip
Is there a function similar to countNonZero(Score) to count row number of non-zero field in Splunk?

With my search above, I would like to have the following output:

ip	Total_Vuln	Total_Non_Zero_Vuln
ip1	3	2
ip2	3	1

LearningGuy · ‎10-22-2023

I think I just figured it out
This search worked when I tried it... Please suggest..... Thanks
| stats count(Vulnerability) as Total_Vuln, count(eval(Score>0)) as Total_Non_Zero_Vuln by ip

View solution in original post

LearningGuy · ‎10-22-2023

I think I just figured it out
This search worked when I tried it... Please suggest..... Thanks
| stats count(Vulnerability) as Total_Vuln, count(eval(Score>0)) as Total_Non_Zero_Vuln by ip

inventsekar · ‎10-22-2023

Yep, thats a valid and nice SPL(the eval(score>0)).

or
the "!=" also should do the trick...

| stats count(eval(score!=0)) as Total_Non_Zero_Vuln by ip

the stats, eval commands give us so many options, very nice!

How to count total row number of non-zero field?

stats

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!