Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to get sum of field based on it's value?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
swdowiarz
Path Finder
09-20-2019
06:01 AM
Hi,
I would be grateful for any help.
In my fields we are having two fields which are: data.user_id and data.config.offlineGDTS
data.config.offlineGDTS can have value true or false
My questions is: How can I have statistics for each user how many events he has for data.config.offlineGDTS=true and data.config.offlineGDTS=false ?
Basically I would like to have in one row: user_id, sum(data.config.offlineGDTS=true), sum(data.config.offlineGDTS=false)
What I've tried looks like this:
index=cs_engineering sourcetype=pizza_app data.offlineGDTS=* | stats
count(eval(data.offlineGDTS="true")) as ONLINE_GDT
count((data.offlineGDTS="false")) as OFFLINE_GDT
by data.user_id
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DavidHourani
Super Champion
09-22-2019
03:27 AM
Hi @swdowiarz,
Try this, could be that the . is causing some problems with the eval as it could be interpreted as a concatenation :
index=cs_engineering sourcetype=pizza_app data.offlineGDTS=*
|rename data.offlineGDTS as NewofflineGDTS
| stats count(eval(NewofflineGDTS="true")) as ONLINE_GDT count(eval(NewofflineGDTS="false")) as OFFLINE_GDT
by data.user_id
Let me know if that helps.
Cheers,
David
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DavidHourani
Super Champion
09-22-2019
03:27 AM
Hi @swdowiarz,
Try this, could be that the . is causing some problems with the eval as it could be interpreted as a concatenation :
index=cs_engineering sourcetype=pizza_app data.offlineGDTS=*
|rename data.offlineGDTS as NewofflineGDTS
| stats count(eval(NewofflineGDTS="true")) as ONLINE_GDT count(eval(NewofflineGDTS="false")) as OFFLINE_GDT
by data.user_id
Let me know if that helps.
Cheers,
David
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
swdowiarz
Path Finder
09-23-2019
01:03 AM
yeah! it is working as it should be, thanks!
However, do you know how to present those counts in percentage?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jonydupre
Path Finder
09-23-2019
01:51 AM
You could try the top function, it orders your results by amount and automaticly adds percentage to it, but it might not be best practice. Not sure if you can add percetage on it's own. Maybe try "showperc=true" or something?
(I just started with Splunk, so I might be wrong.)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DavidHourani
Super Champion
09-23-2019
01:22 AM
you're welcome !
Yeah for the percentage you just need the total count. Something like this should do the trick :
| stats count(NewofflineGDTS) as total count(eval(NewofflineGDTS="true")) as ONLINE_GDT count(eval(NewofflineGDTS="false")) as OFFLINE_GDT
You can then use that total with an eval to make a percentage 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
09-20-2019
07:01 AM
The second count is missing an eval. What do you get from that query?
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
swdowiarz
Path Finder
09-20-2019
11:32 AM
Oh yes, I missed that one.
With this query I'm getting the look of a table as I wanted with three columns( user_id, ONLINE_GDT, OFFLINE_GDT ), but for each row(user_id) the data are not being count and all the values for GDTs are 0.
Get Updates on the Splunk Community!
Splunk Answers Content Calendar, June Edition
Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
What You Read The Most: Splunk Lantern’s Most Popular Articles!
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
See your relevant APM services, dashboards, and alerts in one place with the updated ...
As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
