Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Problem with the summation in chart command in SPLUNK

abhayneilam
Contributor
‎03-06-2013 08:57 PM

Hi,

I want to find out how what is the total number of "Exit" and "Entry" for the particular CARD_NUMBER for a particular TRANSIT_DATE, for that to do I gave the below query, but it is not returning my any answer,

Please let me know where I am doing wrong with the query or any other alternative is there :

chart count((eval(STR_DIRECTION="Entry"))+(eval(STR_DIRECTION="Exit"))) as "Total_Count" over "TRANSIT_DATE" by "CARD_NUMBER"

Thanks in Advance!!

Tags (2)
0 Karma
Reply

jonuwz
Influencer
‎03-07-2013 12:15 AM

This :

((eval(STR_DIRECTION="Entry"))+(eval(STR_DIRECTION="Exit"))

assuming that only 1 statement can be true, will never return anything.

It evaluates to NULL + 1 or 1 + NULL, which is always null

i.e.

* | head 1 | eval a=NULL | eval b=1 | eval c=a+b | table a b c

So you need an if statement to return sane values:

( (eval(if(STR_DIRECTION=="Entry",1,0))) + (eval(if(STR_DIRECTION=="Exit",1,0))) )

There's probably a far easier way to do this if you post some sample data though

Update

... | stats count(eval(STR_DIRECTION=="Exit")) as Exit count(eval(STR_DIRECTION=="Entry")) as Entry by TRANSIT_DATE CARD_NUMBER
    | eval Complete=if(Exit==Entry,"Complete","Incomplete")
0 Karma
Reply

jonuwz
Influencer
‎03-07-2013 03:30 AM

updated answer

0 Karma
Reply

abhayneilam
Contributor
‎03-07-2013 02:04 AM

I have given this code , but it gives me some different answer, I want to compare the number of exit with the number or entry for a particular Card_num for a particular day

|inputlookup "Data-Sample.csv" | table "TRANSIT_DATE","NAME","SURNAME","IDENTIFIER","CARD_NUMBER","STR_DIRECTION","STR_TRANSIT_STATUS","TERMINAL" | chart limit=29 count(eval(STR_DIRECTION="Entry" OR STR_DIRECTION="Exit")) as "Total_Count" over "TRANSIT_DATE" by "CARD_NUMBER" |eval a=strptime(TRANSIT_DATE,"%d/%m/%Y") | sort a | fields - a

0 Karma
Reply

abhayneilam
Contributor
‎03-07-2013 01:57 AM

I have a report which contains few columns as "Date", "Card_num","Status"

I have the "Date" in %d/%m/%Y format
"Card_num" is a numeric field ( Unique value )
"Status" Contains two values,either "Entry" or "Exit"

Now, I would like to know for a particular "Card_num" for a particular "Date" , total number of "Exit" is equal to the total number of "Entry" or not, if it is equal I should make an another column as "Result" and value should be "Complete Transaction" and for unequal number It "Result" should contain "Incomplete Transaction"

Please help !!

0 Karma
Reply

jonuwz
Influencer
‎03-07-2013 01:38 AM

This has nothing to do with the original question, also, without sample data this comment is gibberish to me.

0 Karma
Reply

abhayneilam
Contributor
‎03-07-2013 12:41 AM

How do I compare the number of entry and exit of each Card_Number against each date, if num of entry is not equal to num of entry for a particular day it means , transaction is incomplete

please help

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...