How to get distinct count for which if condition s...

arugupta · ‎02-01-2023

My Aim :
This below query gives me count of success, failure by b_key, c_key. I want to get the distinct count of b_key for which the failure occurred. In the example below it will be 2.

| eval Complete = case(key_a="complete", "Complete")
| eval Init = case(key_a="init" , "Init")
| stats count(Init) as Init, count(Complete) as Complete by b_key, c_key
| eval Fcount = if((Init != Complete),1,0) 
| eval Scount = if((Init = Complete),1,0) 
| stats sum(Fcount) as FailureCount, sum(Scount) as SuccessCount 
| eval total=(FailureCount+SuccessCount) 
| eval Success% = round(SuccessCount/total*100,2)
| eval Failure% = round(FailureCount/total*100,2) 
| table FailureCount, SuccessCount, Success%, Failure%

arugupta · ‎02-05-2023

@ITWhisperer It did not solve the purpose. Can you explain in brief what is it doing? What is 'eval key='Non-zero count' referring to?

ITWhisperer · ‎02-05-2023

This just sets a "label" for the row with the totals in

ITWhisperer · ‎02-01-2023

| appendpipe
    [| stats count(eval(SuccessCount>0)) as SuccessCount count(eval(FailureCount>0)) as FailureCount
    | eval key="Non-zero counts"]

How to get distinct count for which if condition satisfies?

count

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

New Release | Splunk Cloud Platform 10.1.2507

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

Are you a member of the Splunk Community?

How to get distinct count for which if condition satisfies?

count

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

New Release | Splunk Cloud Platform 10.1.2507

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2