Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is it possible to use if else condition based on the search to create stats?

nukarajusundeep
New Member
‎10-30-2019 12:03 PM 
index=concourse
sourcetype="deployments: csv"
if project = * and team=$team$ | stats count by project, team
elif team=* and project=$project$ | stats count by team, project

Can we do something like this in Splunk search?

0 Karma
Reply

anthonymelita
Contributor
‎10-30-2019 02:35 PM

I'm not sure if it will get you what you need, but you can wrap an eval inside of a stats function.
count(eval(team=$team$ AND project=*))

0 Karma
Reply

dmarling
Builder
‎10-30-2019 12:27 PM

Where is the data that is going to populate the two tokens you have in your search coming from? Is that streaming from the search that returns with your index=concourse sourcetype="deployments: csv" part of the query? Also what is your ultimate goal, Are you trying to say, if project is not null and team equals token team stats count by project, team, else if team is not null and project equals token project stats count by team project? Are you doing this because the project/team field is sometimes null? Can you mock up the output you are looking for?

If this comment/answer was helpful, please up vote it. Thank you.
0 Karma
Reply

nukarajusundeep
New Member
‎10-30-2019 12:44 PM

I am trying to create a dashboard with deployments during the month based on projects as dropdown fields using Column graph

this is my query for the dashboard.

index="concourse" sourcetype="deployments: csv" month="$mt$" project="$project$" | stats count by project, month

This basically gives me the count for the deployments by project

with the above query if i choose
Project = ALL and Month=February

This is basically showing the data correctly in the graph wit proper name [like a, b, c projects deployed during this month]

When I choose Project=BUY and Month=ALL
Then it is populating the results but showing as [BUY,BUY,BUY,BUY] on x-axis and count on y-axis and not displaying the month

0 Karma
Reply

dmarling
Builder
‎10-30-2019 01:03 PM

Gotcha. You may want to consider using chart instead of stats for this use case:

index="concourse" sourcetype="deployments: csv" month="$mt$" project="$project$"
| chart count over month by project

This will make it so month is always the x-axis and your columns will be different projects.

If this comment/answer was helpful, please up vote it. Thank you.
0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top