Re: How to create a new field from existing fields...

dtccsundar · ‎08-24-2021

Hi,

I need a help in creating a field using/grouping sum of 2 existing fields .

Ex:

field 1- count_of_true(These will have independent counts for each services)

fields 2 - count_of_false(These will have independent counts for each services)

I am looking for a fields status which has sum(count_of_true) as true & sum(count_of_false) as false as below after a stats like( |stats count by status)

Status count

true 212

false 313

I tried using transpose ,but the stats gives unexpected value ,

PickleRick · ‎09-06-2021

To be honest I'm not sure what you're trying to achieve and from what kind of data.

Do you have various fields in your events that each can have a value of true and false? And do you want to do an aggregate stats over all fields over all events?

Or do you want to have a stats value for each event over all fields of that event?

Or something else?

dtccsundar · ‎09-07-2021

Hi PickleRick,

The below one is the one which triggered that.

I have to get % of 2 and 3 values in a same field .

Status count

True 200

False 50

Error 10

exc 5

temp 6

Total 271

I need to get true% by true+error /Total * 100 and False% by False+exc+temp/Total*100.

Please help me with the solution .

dtccsundar · ‎09-01-2021

Please help me to get solution for this .

isoutamo · ‎09-01-2021

Hi

@kamlesh_vaghela 's answer should work. You just need to update field names if needed etc.

Here is one query which you can use as start point with your testing.

index=_internal earliest=-1h
| stats count(eval(component="Metrics")) as true count(eval(component="ProcessTracker")) as false

This should give you some values if you have access to _internal index. If not then just replace index name and those evaluation conditions (component="Metrics") with your field and wanted value of that field.

r. Ismo

dtccsundar · ‎09-06-2021

Hi Ismo,

Thank you !!

| stats count(eval("Status"="True")) as True count(eval("Status"="False")) as "False"

I am getting ,

True False

0 0

Please help me out

manjunathmeti · ‎08-24-2021

hi @dtccsundar,

This might give you what you asked.

| makeresults 
| eval count_of_true=212, count_of_false=313 
| eval count=mvzip(count_of_true, count_of_false), count=split(count, ","), Status=split("true,false", ","), zip=mvzip(Status, count) 
| mvexpand zip 
| eval zip=split(zip, ","), Status=mvindex(zip, 0), count=mvindex(zip, 1) 
| table Status, count

If this reply helps you, a like would be appreciated.

dtccsundar · ‎08-24-2021

Thank you manjunathmeti ,

It gives count of each service (true and false ) and the the sum of (true and false)

| eval count_of_true=212, count_of_false=313
This is dynamic value which i will get after sum(true) and sum(false) and not the static one .

is there any other way ?

kamlesh_vaghela · ‎08-24-2021

@dtccsundar

Are you looking for this? Just update your stats command.

| stats count(eval(Status="true")) as true count(eval(Status="false")) as false

KV

dtccsundar · ‎08-24-2021

Thank you kamlesh_vaghela,

When i tried this i am getting the count as 0 for both true and false .

Adding to that ,

Sum(true) and sum(false) for each service is my need .

Any other way to achieve this ?

How to create a new field from existing fields after a sum

stats

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!