Solved: Is there an alternate solution to stats count with...

jialiu907 · ‎06-02-2023

| eval ExitStatus=if(ExitStatus>0, 1, 0)
| stats count by ExitStatus by Site

In the search query above, I am looking to count the ExitStatus field after evaluating it to 2 stats, 0 or 1; by the Site, which is 4 stats. Currently the search query isn't showing any statistics and I think its due to the two BY commands. Is there an alternative solution?

gcusello · ‎06-02-2023

Hi @jialiu907,

please try this:

<your_search>
| stats 
   count(eval(ExitStatus>0)) AS greater_than 
   count(eval(ExitStatus=0)) AS less_than 
   BY Site

Ciao.

Giuseppe

View solution in original post

PickleRick · ‎06-02-2023

If you want to categorize your data with stats over more than one field, you simply enumerate those fields with a single BY clause.

[...]
| stats count BY ExitStatus Site

Of course pay attention to field names - they are case-sensitive.

gcusello · ‎06-02-2023

Hi @jialiu907,

please try this:

<your_search>
| stats 
   count(eval(ExitStatus>0)) AS greater_than 
   count(eval(ExitStatus=0)) AS less_than 
   BY Site

Ciao.

Giuseppe

Is there an alternate solution to stats count with two BY fields?

eval

fields

stats

Splunk Observability Cloud | Customer Survey!

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

Starting With Observability: OpenTelemetry Best Practices