Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Multiple stats counts on different criteria

guythomasdavis
Explorer
‎07-02-2018 06:00 AM

Hi all, first question on Splunk Answers. I just finished the Fundamentals I training and am now wanting to do some more sophisticated things with the SPL. I have data with status codes 100-900 that tracks the progress of a process that happens daily. I'd like to do a chart that is on a dashboard where dynamic updates happen that shows the progress. So for each client (field), that has a operationnumber i want to be able to show the total operations being processed (max status < 900) for that client and the total complete for that client (max status = 900) ... something like head limit=1 for each client, operationnumber where the items are sorted by - status.

While I understand the basics of the SPL there is something i'm not quite getting about how the SPL searches are parsed and executed... e.g. the light bulb has yet to fully go off! I'm actually looking forward to really grokking this so I can start helping others here.

Thanks so much,

Guy Davis

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎07-02-2018 07:16 AM

Like this:

Your base search hear that gets all the events
| stats count AS total count(eval(max_status<900)) AS count_below_900 count(eval(max_status==900)) AS count_equals_900 BY process client
0 Karma
Reply

guythomasdavis
Explorer
‎07-03-2018 05:40 AM

thank you. as soon as i finish using eventgen to generate some sample data and test i'll let you know how this works. i'll hopefully have this done in a couple of days.

0 Karma
Reply

FrankVl
Ultra Champion
‎07-02-2018 07:08 AM

Can you provide a bit more information on what the data looks like and what the key fields are that you want to look at?

If I understand your question correctly I think you need to do something like this (assuming you have some process field that identifies the processes), if you provide some sample data or some more info on the relevant fields, I can make the answer more tailored to your situation.

...your base search...
| stats max(status) as max_status by process,client
| eval status = if(max_status=900,"Complete","In Progress")
| stats count by status,client
Reply

guythomasdavis
Explorer
‎07-03-2018 05:39 AM

Hi, I'm working with eventgen as this data hasn't been generated as of yet. I will post it here when I am finished. I appreciate your feedback to date

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...