Solved: Need SPL advise for stats

k31453 · ‎04-15-2021

I have following data:

I am trying to generate SPL which provides me following:

Essentially change_complete will be new field and will be marked "Yes" only if all the hosts for that particular customer has flag_enabled = "Yes" otherwise change_complete=No

I am trying to use eval or stats function to get around it. But I got no luck.

ITWhisperer · ‎04-15-2021

| makeresults 
| eval _raw="customer,host,flag_enabled
abc,host1,yes
abc,host2,no
fax,host1,yes
fax,host2,yes"
| multikv forceheader=1
| fields customer host flag_enabled
| fields - _*
| stats count count(eval(flag_enabled=="yes")) as enabled_count by customer
| eval change_complete=if(count==enabled_count,"yes","no")
| fields customer change_complete

View solution in original post

ITWhisperer · ‎04-15-2021

| makeresults 
| eval _raw="customer,host,flag_enabled
abc,host1,yes
abc,host2,no
fax,host1,yes
fax,host2,yes"
| multikv forceheader=1
| fields customer host flag_enabled
| fields - _*
| stats count count(eval(flag_enabled=="yes")) as enabled_count by customer
| eval change_complete=if(count==enabled_count,"yes","no")
| fields customer change_complete

Need SPL advise for stats

count

stats

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...