How to get distinct count for which if condition s...

arugupta · ‎02-01-2023

My Aim :
This below query gives me count of success, failure by b_key, c_key. I want to get the distinct count of b_key for which the failure occurred. In the example below it will be 2.

| eval Complete = case(key_a="complete", "Complete")
| eval Init = case(key_a="init" , "Init")
| stats count(Init) as Init, count(Complete) as Complete by b_key, c_key
| eval Fcount = if((Init != Complete),1,0) 
| eval Scount = if((Init = Complete),1,0) 
| stats sum(Fcount) as FailureCount, sum(Scount) as SuccessCount 
| eval total=(FailureCount+SuccessCount) 
| eval Success% = round(SuccessCount/total*100,2)
| eval Failure% = round(FailureCount/total*100,2) 
| table FailureCount, SuccessCount, Success%, Failure%

arugupta · ‎02-05-2023

@ITWhisperer It did not solve the purpose. Can you explain in brief what is it doing? What is 'eval key='Non-zero count' referring to?

ITWhisperer · ‎02-05-2023

This just sets a "label" for the row with the totals in

ITWhisperer · ‎02-01-2023

| appendpipe
    [| stats count(eval(SuccessCount>0)) as SuccessCount count(eval(FailureCount>0)) as FailureCount
    | eval key="Non-zero counts"]

How to get distinct count for which if condition satisfies?

count

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

How to get distinct count for which if condition satisfies?

count

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!