- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Is it possible to extract results of an eval match...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it possible to do something like this:
...|eval Classification=case(match(class,"Boy"),"Boy",match(class,"Girl"),"Girl",match(class,"Man"),"Man") |code_I_am_looking_for | stats count by Boy,Girl,Man
Thanks in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you tried with chart?
| eval Classification=case(match(class,"Boy"),"Boy",match(class,"Girl"),"Girl",match(class,"Man"),"Man")
| chart count over class by Classification
| fields - class
Alternatively, if you you know the name of your fields in advanced you could also do:
| eval Classification=case(match(class,"Boy"),"Boy",match(class,"Girl"),"Girl",match(class,"Man"),"Man")
| eval Boy = if (Classification == "Boy", 1, 0)
| eval Girl = if (Classification == "Girl", 1, 0)
| eval Man = if (Classification == "Man", 1, 0)
| stats sum(*) as *
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, did any of the comments below help you on this?
If yes, can you mark it as answered?
If not, is there any else we can do to help?
Unanswered questions make me sad 😞
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Javiergn, sorry about the late response, your answer was very helpful
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From your response to my other Answer, maybe this answer will suit your need better.
... | stats count(eval(match(class, "Boy"))) AS "Boy" count(eval(match(class, "Girl"))) AS "Girl" count(eval(match(class, "Man"))) AS "Man"
That gets rid of a lot of complexity but should end up with an output like your description "I want to split the match into fields if possible, then do stats count on the new fields"
Give that a try and let us know!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you tried with chart?
| eval Classification=case(match(class,"Boy"),"Boy",match(class,"Girl"),"Girl",match(class,"Man"),"Man")
| chart count over class by Classification
| fields - class
Alternatively, if you you know the name of your fields in advanced you could also do:
| eval Classification=case(match(class,"Boy"),"Boy",match(class,"Girl"),"Girl",match(class,"Man"),"Man")
| eval Boy = if (Classification == "Boy", 1, 0)
| eval Girl = if (Classification == "Girl", 1, 0)
| eval Man = if (Classification == "Man", 1, 0)
| stats sum(*) as *
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you tried just
...|eval Classification=case(match(class,"Boy"),"Boy",match(class,"Girl"),"Girl",match(class,"Man"),"Man") | stats count by Classification
?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, that's not what I want. Doing a stat count by classification lists Boy,Girl,Man under Classification. I want to split the match into fields if possible, then do stats count on the new fields
Enter the Splunk Community Dashboard Challenge for Your Chance to Win!
.conf24 | Session Scheduler is Live!!
Introducing the Splunk Community Dashboard Challenge!
