Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Query to display count boolean fields as seper...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dreamygguy
New Member
09-06-2013
08:16 AM
Hello,
I'm trying to create a splunk query that will enable me to display the count of the TRUE and FALSE values of an operation. Can anybody help with this?
The output I'm expecting to display is something like the following.
Time Operation Success=True Success=False
10AM ABC 20 0
11AM ABC 30 5
12AM ABC 30 0
Thank You!
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kml_uvce
Builder
09-06-2013
08:54 AM
your query|chart count(eval(<field>=TRUE)) AS Success=True, count(eval(<field>=FALSE)) AS Success=False by Time Operation
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kml_uvce
Builder
09-06-2013
08:54 AM
your query|chart count(eval(<field>=TRUE)) AS Success=True, count(eval(<field>=FALSE)) AS Success=False by Time Operation
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
proletariat99
Communicator
04-02-2015
12:55 PM
This syntax doesn't work for me. Is there something missing? I'm v6.2.
index= |chart count(eval(="TRUE")) AS Success=True, count(eval(="FALSE")) AS Success=False by hostname
Error in 'chart' command: The specifier 'AS' is invalid. It must be in form (). For example: max(size).
The search job has failed due to an error. You may be able view the job in the Job Inspector.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kml_uvce
Builder
09-06-2013
07:00 PM
this was the typo error from me
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dreamygguy
New Member
09-06-2013
01:47 PM
Thank you for your answer! The only change I made is for the following commands -
count(eval(
the value should be inside quotes.
count(eval(
Get Updates on the Splunk Community!
Good Sourcetype Naming
When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...
See your relevant APM services, dashboards, and alerts in one place with the updated ...
As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Splunk App for Anomaly Detection End of Life Announcement
Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...
