Simple query to take results and list them as yes/...

mflippin · ‎01-11-2021

Hello.

I have a large data set that I'm working through that gives either a 5 digit number or a "-" if there is no value. I have my search results but I can't seem to get them into the format I'm looking for.

I'd like to get the results into a format showing

Room 1

Set (total)

Unset (total)

And the same for Room 2, 3, 4

Query

Index=acme dvc_room="*" station="*"

Output

index=acme dvc_room=4 station="-"

index=acme dvc_room=3 station="123456"

index=bluecoat dvc_room=2 station="-"

index=bluecoat dvc_room=1 station="56132"

index=bluecoat dvc_room=3 station="-"

index=bluecoat dvc_room=2 station="56132"

index=bluecoat dvc_room=4 station="56132"

Any help would be appreciated.

bowesmana · ‎01-11-2021

You say your query is

Index=acme dvc_room="*" station="*"

but you list output with index=bluecoat

Maybe this is what you are after

your search...
| stats sum(eval(if(station="-",0,1))) as Set sum(eval(if(station="-",1,0))) as Unset by dvc_room

Assuming that when you talk about set/unset, you mean that unset is station="-" and set if not.

Simple query to take results and list them as yes/no

chart

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!