Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need SPL advise for stats

k31453
Explorer
‎04-15-2021 12:27 AM

I have following data:

k31453_0-1618471498307.png


I am trying to generate SPL which provides me following:

k31453_1-1618471517925.png


Essentially change_complete will be new field and will be marked "Yes" only if all the hosts for that particular customer  has flag_enabled = "Yes" otherwise change_complete=No

I am trying to use eval or stats function to get around it. But I got no luck.

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-15-2021 12:41 AM 
| makeresults 
| eval _raw="customer,host,flag_enabled
abc,host1,yes
abc,host2,no
fax,host1,yes
fax,host2,yes"
| multikv forceheader=1
| fields customer host flag_enabled
| fields - _*
| stats count count(eval(flag_enabled=="yes")) as enabled_count by customer
| eval change_complete=if(count==enabled_count,"yes","no")
| fields customer change_complete

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-15-2021 12:41 AM 
| makeresults 
| eval _raw="customer,host,flag_enabled
abc,host1,yes
abc,host2,no
fax,host1,yes
fax,host2,yes"
| multikv forceheader=1
| fields customer host flag_enabled
| fields - _*
| stats count count(eval(flag_enabled=="yes")) as enabled_count by customer
| eval change_complete=if(count==enabled_count,"yes","no")
| fields customer change_complete
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...