How to make a query that counts by comparing valu...

hyewonkim · ‎06-15-2023

I'm new to splunk and I'm asking for help. 
I will give an example as below.
if event_id or orig_event are the same, count them
I want to lookup event_id for case not 3. 
Therefore, in this case, the count of event_id 7 is 2, not 3, so 7 should be the lookup.
could you possibly help me?

[data table]

index	type	event_id	orig_event_id
A	a	1
A	b		1
B	c		1
A	a	3
A	b		3
B	c	3
A	a		5
A	b	5
B	c		5
A	a		7
A	b	7

[result]

A	a		7
A	b	7

ITWhisperer · ‎06-15-2023

Not sure if this is what you are after as your description does quite tally with your example

| stats count(eval(event_id == orig_event_id)) as count by index type

hyewonkim · ‎06-15-2023

There were some mistakes in the content. It has only one value among orig_event_id and event_id.

ITWhisperer · ‎06-15-2023

Are you just after the last event_id and orig_event_id by index and type?

| stats last(event_id) as event_id last(orig_event_id) as orig_event_id by index type

How to make a query that counts by comparing values?

field extraction

fields

stats

table

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation