Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get sum of field based on it's value?

swdowiarz
Path Finder
‎09-20-2019 06:01 AM

Hi,

I would be grateful for any help.

In my fields we are having two fields which are: data.user_id and data.config.offlineGDTS

data.config.offlineGDTS can have value true or false

My questions is: How can I have statistics for each user how many events he has for data.config.offlineGDTS=true and data.config.offlineGDTS=false ?
Basically I would like to have in one row: user_id, sum(data.config.offlineGDTS=true), sum(data.config.offlineGDTS=false)

What I've tried looks like this:

index=cs_engineering sourcetype=pizza_app data.offlineGDTS=* | stats 
count(eval(data.offlineGDTS="true")) as ONLINE_GDT
count((data.offlineGDTS="false")) as OFFLINE_GDT
by data.user_id
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DavidHourani
Super Champion
‎09-22-2019 03:27 AM

Hi @swdowiarz,

Try this, could be that the . is causing some problems with the eval as it could be interpreted as a concatenation :

 index=cs_engineering sourcetype=pizza_app data.offlineGDTS=* 
|rename data.offlineGDTS as NewofflineGDTS
| stats  count(eval(NewofflineGDTS="true")) as ONLINE_GDT count(eval(NewofflineGDTS="false")) as OFFLINE_GDT
 by data.user_id

Let me know if that helps.

Cheers,
David

View solution in original post

Reply
Solved! Jump to solution
Solution

DavidHourani
Super Champion
‎09-22-2019 03:27 AM

Hi @swdowiarz,

Try this, could be that the . is causing some problems with the eval as it could be interpreted as a concatenation :

 index=cs_engineering sourcetype=pizza_app data.offlineGDTS=* 
|rename data.offlineGDTS as NewofflineGDTS
| stats  count(eval(NewofflineGDTS="true")) as ONLINE_GDT count(eval(NewofflineGDTS="false")) as OFFLINE_GDT
 by data.user_id

Let me know if that helps.

Cheers,
David

Reply
Solved! Jump to solution

swdowiarz
Path Finder
‎09-23-2019 01:03 AM

yeah! it is working as it should be, thanks!
However, do you know how to present those counts in percentage?

Reply
Solved! Jump to solution

jonydupre
Path Finder
‎09-23-2019 01:51 AM

You could try the top function, it orders your results by amount and automaticly adds percentage to it, but it might not be best practice. Not sure if you can add percetage on it's own. Maybe try "showperc=true" or something?

(I just started with Splunk, so I might be wrong.)

0 Karma
Reply
Solved! Jump to solution

DavidHourani
Super Champion
‎09-23-2019 01:22 AM

you're welcome !

Yeah for the percentage you just need the total count. Something like this should do the trick :

| stats count(NewofflineGDTS)  as total count(eval(NewofflineGDTS="true")) as ONLINE_GDT count(eval(NewofflineGDTS="false")) as OFFLINE_GDT

You can then use that total with an eval to make a percentage 🙂

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-20-2019 07:01 AM

The second count is missing an eval. What do you get from that query?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

swdowiarz
Path Finder
‎09-20-2019 11:32 AM

Oh yes, I missed that one.
With this query I'm getting the look of a table as I wanted with three columns( user_id, ONLINE_GDT, OFFLINE_GDT ), but for each row(user_id) the data are not being count and all the values for GDTs are 0.

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
Top