What I am looking to do is something of this nature:
| stats count(eval(if(action=success))), count(eval(if(action=failure))) by computer
but it has not been working out as I had hoped. Can anyone fill me in on what I might be able to do in order to get this result in my stats area of my search?
I think your syntax is wrong. What about this:
| stats
count(eval(if(action="success", 1, null()))) as success_count
count(eval(if(action="failure", 1, null()))) as failure_count
by computer
Or simply this instead:
| stats
count(eval(action="success")) as success_count
count(eval(action="failure")) as failure_count
by computer
Thanks,
J
The count function using an eval seems to require an AS clause. As per the doco: "count(eval(status="404")) AS count_status"
However count(eval(status="404")) without an as clause will cause a job inspector failure, and sometimes you get a useful message:
Error in 'stats' command: You must specify a rename for the aggregation specifier on the dynamically evaluated field 'count(eval(status="404"))'.
If you already have action
as a field with values that can be "success" or "failure" or something else (or nothing), what about:
... (action=success OR action=failure)
| stats count by action, computer
where ...
is your original base search. If you have already done some processing of the events, then you may have to resort to something like:
... | search action=success OR action=failure
| stats count by action, computer
The if
's in your search aren't complete and seem to be unneeded.
I think your syntax is wrong. What about this:
| stats
count(eval(if(action="success", 1, null()))) as success_count
count(eval(if(action="failure", 1, null()))) as failure_count
by computer
Or simply this instead:
| stats
count(eval(action="success")) as success_count
count(eval(action="failure")) as failure_count
by computer
Thanks,
J
Yes you are correct, the syntax is wrong but I was looking to get across what I am essentially trying to do in a clear and concise manner. I do know from having tried it previously that your second code idea does not work having put that into the search from a previous example of a similar type of code and that did not solve the issue. However, testing the first thought you had on the syntax generated the desired result for this case and as such thank you for your suggestion.
Too much if
, not enough naming:
... | stats count(eval(action=="success")) AS successes, count(eval(action=="failure")) AS failures BY computer
Making this correction to the query did not result in the desired outcome. The query returns 0 for each and every value that was specified when there are at least a few successes and failures in the queried items.
I forgot the double-quotes. It is fixed now.
This worked for me however success and failure need to be encapsulated in quotes - "success" & "failure"