Solved: Need SPL advise for stats

k31453 · ‎04-15-2021

I have following data:

I am trying to generate SPL which provides me following:

Essentially change_complete will be new field and will be marked "Yes" only if all the hosts for that particular customer has flag_enabled = "Yes" otherwise change_complete=No

I am trying to use eval or stats function to get around it. But I got no luck.

ITWhisperer · ‎04-15-2021

| makeresults 
| eval _raw="customer,host,flag_enabled
abc,host1,yes
abc,host2,no
fax,host1,yes
fax,host2,yes"
| multikv forceheader=1
| fields customer host flag_enabled
| fields - _*
| stats count count(eval(flag_enabled=="yes")) as enabled_count by customer
| eval change_complete=if(count==enabled_count,"yes","no")
| fields customer change_complete

View solution in original post

ITWhisperer · ‎04-15-2021

| makeresults 
| eval _raw="customer,host,flag_enabled
abc,host1,yes
abc,host2,no
fax,host1,yes
fax,host2,yes"
| multikv forceheader=1
| fields customer host flag_enabled
| fields - _*
| stats count count(eval(flag_enabled=="yes")) as enabled_count by customer
| eval change_complete=if(count==enabled_count,"yes","no")
| fields customer change_complete

Need SPL advise for stats

count

stats

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!