Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use stats with condition from multiple fields?

Utkc137
Explorer
‎09-30-2023 07:44 AM

Greetings,

 

I am struggling with creating a table in splunk which would do the following transformation:

Find the discrete count of id for A, B, and C where value the is 1, by month. 

tt_3.png

Currently, I am calculating values for each column individually using eventstats and combining the results.

However, we have a lot of columns (a,b,c,d.....) and thus the SLP does not preform efficiently. 

 

Looking for a more efficient approach to this.

 

Thanks in advance!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Thulasinathan_M
Communicator
‎09-30-2023 08:21 AM

Hi,
Please try below:

| stats max(A) as ACnt, max(B) as BCnt, max(C) as CCnt by month, id
| stats sum(ACnt) as ACnt, sum(BCnt) as BCnt, sum(CCnt) as CCnt by month

 

View solution in original post

Reply
Solved! Jump to solution
Solution

Thulasinathan_M
Communicator
‎09-30-2023 08:21 AM

Hi,
Please try below:

| stats max(A) as ACnt, max(B) as BCnt, max(C) as CCnt by month, id
| stats sum(ACnt) as ACnt, sum(BCnt) as BCnt, sum(CCnt) as CCnt by month

 

Reply
Solved! Jump to solution

Utkc137
Explorer
‎09-30-2023 08:29 AM

Hey thanks a ton!
Been breaking my head on this issue. 

0 Karma
Reply
Solved! Jump to solution

Thulasinathan_M
Communicator
‎09-30-2023 08:35 AM

Happy that worked for you!! Happy Splunking 🙂

0 Karma
Reply
Solved! Jump to solution

Thulasinathan_M
Communicator
‎09-30-2023 08:03 AM

Hi,
Are A,B,C,D fields?

0 Karma
Reply
Solved! Jump to solution

Utkc137
Explorer
‎09-30-2023 08:11 AM

Yes, they are individual field values. 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-30-2023 08:03 AM

hi @Utkc137,

if the file name having values A, B and C is "id_cnt", you could use the chart command:

<your_search>
| chart count OVER month BY id_cnt

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

Utkc137
Explorer
‎09-30-2023 08:09 AM

This isn't the case, all columns are individual fields values.

The original log is of the following format:

<date_time> <month> <id> A=1 B=0 C=0 ...

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-30-2023 08:14 AM

Hi @Utkc137 ,

you could try stats with eval:

<your_search>
| stats 
   count(eval(A=1)) AS A_id_cnt 
   count(eval(B=1)) AS B_id_cnt 
   count(eval(C=1)) AS C_id_cnt 
   BY month

if it doesn't run, please try also:

<your_search>
| stats 
   count(eval(A="1")) AS A_id_cnt 
   count(eval(B="1")) AS B_id_cnt 
   count(eval(C="1")) AS C_id_cnt 
   BY month

Ciao.

Giuseppe

Reply
Solved! Jump to solution

Utkc137
Explorer
‎09-30-2023 08:22 AM

The idea is to find discrete count of id's where A=1, B=1. Not the count of events where  these values are 1.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-30-2023 08:29 AM

HI @Utkc137,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-30-2023 08:24 AM

Hi @Utkc137.

sorry, what's the difference?

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...