Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need SPL advise for stats

k31453
Explorer
‎04-15-2021 12:27 AM

I have following data:

k31453_0-1618471498307.png


I am trying to generate SPL which provides me following:

k31453_1-1618471517925.png


Essentially change_complete will be new field and will be marked "Yes" only if all the hosts for that particular customer  has flag_enabled = "Yes" otherwise change_complete=No

I am trying to use eval or stats function to get around it. But I got no luck.

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-15-2021 12:41 AM 
| makeresults 
| eval _raw="customer,host,flag_enabled
abc,host1,yes
abc,host2,no
fax,host1,yes
fax,host2,yes"
| multikv forceheader=1
| fields customer host flag_enabled
| fields - _*
| stats count count(eval(flag_enabled=="yes")) as enabled_count by customer
| eval change_complete=if(count==enabled_count,"yes","no")
| fields customer change_complete

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-15-2021 12:41 AM 
| makeresults 
| eval _raw="customer,host,flag_enabled
abc,host1,yes
abc,host2,no
fax,host1,yes
fax,host2,yes"
| multikv forceheader=1
| fields customer host flag_enabled
| fields - _*
| stats count count(eval(flag_enabled=="yes")) as enabled_count by customer
| eval change_complete=if(count==enabled_count,"yes","no")
| fields customer change_complete
0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...