- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Problem with the summation in chart command in...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Problem with the summation in chart command in SPLUNK
Hi,
I want to find out how what is the total number of "Exit" and "Entry" for the particular CARD_NUMBER for a particular TRANSIT_DATE, for that to do I gave the below query, but it is not returning my any answer,
Please let me know where I am doing wrong with the query or any other alternative is there :
chart count((eval(STR_DIRECTION="Entry"))+(eval(STR_DIRECTION="Exit"))) as "Total_Count" over "TRANSIT_DATE" by "CARD_NUMBER"
Thanks in Advance!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This :
((eval(STR_DIRECTION="Entry"))+(eval(STR_DIRECTION="Exit"))
assuming that only 1 statement can be true, will never return anything.
It evaluates to NULL + 1 or 1 + NULL, which is always null
i.e.
* | head 1 | eval a=NULL | eval b=1 | eval c=a+b | table a b c
So you need an if statement to return sane values:
( (eval(if(STR_DIRECTION=="Entry",1,0))) + (eval(if(STR_DIRECTION=="Exit",1,0))) )
There's probably a far easier way to do this if you post some sample data though
Update
... | stats count(eval(STR_DIRECTION=="Exit")) as Exit count(eval(STR_DIRECTION=="Entry")) as Entry by TRANSIT_DATE CARD_NUMBER
| eval Complete=if(Exit==Entry,"Complete","Incomplete")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
updated answer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have given this code , but it gives me some different answer, I want to compare the number of exit with the number or entry for a particular Card_num for a particular day
|inputlookup "Data-Sample.csv" | table "TRANSIT_DATE","NAME","SURNAME","IDENTIFIER","CARD_NUMBER","STR_DIRECTION","STR_TRANSIT_STATUS","TERMINAL" | chart limit=29 count(eval(STR_DIRECTION="Entry" OR STR_DIRECTION="Exit")) as "Total_Count" over "TRANSIT_DATE" by "CARD_NUMBER" |eval a=strptime(TRANSIT_DATE,"%d/%m/%Y") | sort a | fields - a
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a report which contains few columns as "Date", "Card_num","Status"
I have the "Date" in %d/%m/%Y format
"Card_num" is a numeric field ( Unique value )
"Status" Contains two values,either "Entry" or "Exit"
Now, I would like to know for a particular "Card_num" for a particular "Date" , total number of "Exit" is equal to the total number of "Entry" or not, if it is equal I should make an another column as "Result" and value should be "Complete Transaction" and for unequal number It "Result" should contain "Incomplete Transaction"
Please help !!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This has nothing to do with the original question, also, without sample data this comment is gibberish to me.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I compare the number of entry and exit of each Card_Number against each date, if num of entry is not equal to num of entry for a particular day it means , transaction is incomplete
please help
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
