Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

STATS COUNT on same field before and after WHERE / Condition?

vaibhavvijay9
New Member
‎02-14-2019 11:15 AM

Hi All,

What I want is :

  1. Total no. of queues and total no. of queues with pending messages.
    Something like this :

    .... | xmlkv | table _time, qName, pendingMsgs | stats count(qName) as totalQueues | stats count(qName) where pendingMsgs > 0 as queuesWithPendingMessages
    I want to achieve the working of last pipe and also save the values to calculate the percentage.

Or Output to be like this :

totalQueues = 15
queuesWithPendingMessages = 4
Percentage (queuesWithPendingMessages / totalQueues) x 100 = 26.66

Please help.

Thanks in advance.

Tags (1)
0 Karma
Reply

vaibhavvijay9
New Member
‎02-14-2019 11:26 AM

Got it!
Here is the solution :

.... | xmlkv | table _time, qName, pendingMsgs | stats count(qName) as totalQueues, count(eval(pendingMsgs > 0)) as queuesWithPendingMessages | eval percentage=(queuesWithPendingMessages/totalQueues)*100

But is it fully (logically) correct? Please share your views.

Awaiting your response.
Thanks!

0 Karma
Reply

chrisyounger
SplunkTrust
SplunkTrust
‎02-14-2019 11:24 AM

Try this:

.... 
| xmlkv 
| table _time, qName, pendingMsgs 
| eval hasPending = (pendingMsgs > 0,1,0)
| stats count(qName) as totalQueues sum(hasPending) as queuesWithPendingMessages
| eval percentage = (queuesWithPendingMessages / totalQueues) * 100

Hope it helps!

0 Karma
Reply

vaibhavvijay9
New Member
‎02-14-2019 11:38 AM

Hi @chrisyoungerjds,

Thanks a lot for the quick response!

Your provided string is displaying error as :

Error in 'eval' command: The expression is malformed. Expected ).

However, I have got the solution while trying it by myself, and I have posted it here as answer.

But is it fully (logically) correct? Please share your views.

Awaiting your response.
Thanks again.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...