What I am looking to do is something of this nature:
| stats count(eval(if(action=success))), count(eval(if(action=failure))) by computer
but it has not been working out as I had hoped. Can anyone fill me in on what I might be able to do in order to get this result in my stats area of my search?
if, not enough naming:
... | stats count(eval(action=="success")) AS successes, count(eval(action=="failure")) AS failures BY computer
Making this correction to the query did not result in the desired outcome. The query returns 0 for each and every value that was specified when there are at least a few successes and failures in the queried items.
This worked for me however success and failure need to be encapsulated in quotes - "success" & "failure"
I think your syntax is wrong. What about this:
| stats count(eval(if(action="success", 1, null()))) as success_count count(eval(if(action="failure", 1, null()))) as failure_count by computer
Or simply this instead:
| stats count(eval(action="success")) as success_count count(eval(action="failure")) as failure_count by computer
Yes you are correct, the syntax is wrong but I was looking to get across what I am essentially trying to do in a clear and concise manner. I do know from having tried it previously that your second code idea does not work having put that into the search from a previous example of a similar type of code and that did not solve the issue. However, testing the first thought you had on the syntax generated the desired result for this case and as such thank you for your suggestion.
If you already have
action as a field with values that can be "success" or "failure" or something else (or nothing), what about:
... (action=success OR action=failure) | stats count by action, computer
... is your original base search. If you have already done some processing of the events, then you may have to resort to something like:
... | search action=success OR action=failure | stats count by action, computer
if's in your search aren't complete and seem to be unneeded.
The count function using an eval seems to require an AS clause. As per the doco: "count(eval(status="404")) AS count_status"
However count(eval(status="404")) without an as clause will cause a job inspector failure, and sometimes you get a useful message:
Error in 'stats' command: You must specify a rename for the aggregation specifier on the dynamically evaluated field 'count(eval(status="404"))'.