How to make a query that counts by comparing valu...

hyewonkim · ‎06-15-2023

I'm new to splunk and I'm asking for help. 
I will give an example as below.
if event_id or orig_event are the same, count them
I want to lookup event_id for case not 3. 
Therefore, in this case, the count of event_id 7 is 2, not 3, so 7 should be the lookup.
could you possibly help me?

[data table]

index	type	event_id	orig_event_id
A	a	1
A	b		1
B	c		1
A	a	3
A	b		3
B	c	3
A	a		5
A	b	5
B	c		5
A	a		7
A	b	7

[result]

A	a		7
A	b	7

ITWhisperer · ‎06-15-2023

Not sure if this is what you are after as your description does quite tally with your example

| stats count(eval(event_id == orig_event_id)) as count by index type

hyewonkim · ‎06-15-2023

There were some mistakes in the content. It has only one value among orig_event_id and event_id.

ITWhisperer · ‎06-15-2023

Are you just after the last event_id and orig_event_id by index and type?

| stats last(event_id) as event_id last(orig_event_id) as orig_event_id by index type

How to make a query that counts by comparing values?

field extraction

fields

stats

table

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation