Solved: How to get diff count and show field and result of...

mockingj · ‎03-19-2020

Hello Splunkers,

I have a trouble with the result, example i have some data log

Goat | alive
Goat | dead
Goat | alive

Rabit | alive
Rabit | dead

my trouble is , how to get data count alive or dead , example a Goat (alive =2 , dead = 1) diff = alive - dead (1) , and Rabit(alive=1 , dead=1) diff = alive - dead (0), i want to create table of result
Animal | alive | dead | diff
Goat | 2 | 1 | 1
Rabit | 1 | 1 | 0

please help me for the query, thank you splunkers

richgalloway · ‎03-19-2020

See if this helps.

... | stats count(eval(state="alive")) as AliveCount, count(eval(state="dead")) as DeadCount by Animal
| eval diff = AliveCount - DeadCount
| table Animal, AliveCount, DeadCount, diff

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎03-19-2020

See if this helps.

... | stats count(eval(state="alive")) as AliveCount, count(eval(state="dead")) as DeadCount by Animal
| eval diff = AliveCount - DeadCount
| table Animal, AliveCount, DeadCount, diff

---
If this reply helps you, Karma would be appreciated.

mockingj · ‎03-19-2020

wonderful answer :)) , the best word by Animal , thank you very much

manjunathmeti · ‎03-19-2020

hi @mockingj,

Try this:

| makeresults 
| eval _raw="_raw
Goat | alive
Goat | dead
Goat | alive
Rabit | alive
Rabit | dead" 
| multikv forceheader=1 
| rex "(?<Animal>\w+)\s\|\s(?<status>\w+)" 
| stats count(eval(status="alive")) as alive, count(eval(status="dead")) as dead by Animal 
| eval diff=alive-dead

mockingj · ‎03-19-2020

thanks you for your answer

How to get diff count and show field and result of diff

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM