Solved: How to get eventstats count with dynamic parameter...

Kislac · ‎05-03-2022

Hello!

I would like to count from a field based on another field.
I have a events with following 2 fields (Doors_Order & RQM_Order). I would like to count based on Doors_Order field from entire RQM_Order fields.

In excel this look like this:

=COUNTIF(E:E;C9)

I have tried with this:
| basesearch
| eventstats count(eval(RQMOrder_NotValidated=RQMOrder)) as ReqGap2

But this will count only if the 2 field is same in 1 event, not in entire events lists. I have tired lots of another things, but non of them worked. In excel this looks easy. Is there any solution in splunk?

VatsalJagani · ‎05-03-2022

@Kislac - Can you try something like this?

<your-search>
| join type=left DoorsOrder [| search <your search> | stats count by RQMOrder | rename RQMOrder AS DoorsOrder]
| fillnull count value=0
| rename count as ReqGap2

(I'm using field names as shown in the excel screenshots if some fields need to change please do so.)

I hope this helps!!!

View solution in original post

VatsalJagani · ‎05-03-2022

@Kislac - Can you try something like this?

<your-search>
| join type=left DoorsOrder [| search <your search> | stats count by RQMOrder | rename RQMOrder AS DoorsOrder]
| fillnull count value=0
| rename count as ReqGap2

(I'm using field names as shown in the excel screenshots if some fields need to change please do so.)

I hope this helps!!!

How to get eventstats count with dynamic parameter?

count

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life