Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Simple eval + stats count by 2 fields not working
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the_wolverine
Champion
10-12-2012
05:24 PM
What am I doing wrong? I've tried several iterations of the following all which return 2 columns with a count of 0:
sourcetype=a OR sourcetype=b | stats count
count(eval(sourcetype=a)) AS a_count
count(eval(sourcetype=b)) AS b_count
- "sourcetype=a OR sourcetype=b | stats count by sourcetype" <= returns the correct counts but I'm unable to split the count out for further evaluation. I need to be able to eval diff=(b_count-a_count).
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the_wolverine
Champion
10-12-2012
05:33 PM
OMG. I got it to work by changing '=' to '==' and putting the value in quotes! HOW FICKLE!!
sourcetype=a OR sourcetype=b | stats count as Total
count(eval(sourcetype=="a")) AS a_count
count(eval(sourcetype=="b")) AS b_count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
AFAS
Explorer
08-04-2016
03:06 AM
I was looking for this for days! Thanks the_wolverine
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
shikhanshu
Path Finder
09-15-2014
09:14 PM
Exact same situation and exact same reaction. OMG. 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the_wolverine
Champion
10-12-2012
05:33 PM
OMG. I got it to work by changing '=' to '==' and putting the value in quotes! HOW FICKLE!!
sourcetype=a OR sourcetype=b | stats count as Total
count(eval(sourcetype=="a")) AS a_count
count(eval(sourcetype=="b")) AS b_count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cmak
Contributor
02-04-2013
01:34 PM
So glad I found this 🙂
Get Updates on the Splunk Community!
Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps
It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...
What’s New in Splunk Observability – September 2025
What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...
Fun with Regular Expression - multiples of nine
Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...
