Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- eventstats with conditions
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Is it possible to use eventstats with conditions?
For example:
I only want to apply eventstats only if field name contains "student-1"
| eventstats values(if(match(name,"student-1"), name, null())) as student by grade
Please suggest.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The values() statement requires 'eval', i.e.
| eventstats values(eval(if(match(name,"student-1"), name, null()))) as student by grade- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @bowesmana
The eval match condition worked, but it didn't give me the result I expected.
Is it possible to use "eventstat match condition" to group the student based on partialname?
Do you think moving to evenstat makes the search more efficient?
I appreciate your help. Thank you so much
without "eventstat match condition" - it worked
| makeresults format=csv data="grade,name
A,student-1-a
A,student-1-b
A,student-1-c
A,student-2-a
A,student-2-b
A,student-2-c"
| eval partialname=substr(name,0,9)
| eventstats values(name) as student by partialname
with "eventstat match condition" - it didn't work
| makeresults format=csv data="grade,name
A,student-1-a
A,student-1-b
A,student-1-c
A,student-2-a
A,student-2-b
A,student-2-c"
| eval partialname=substr(name,0,9)
| eventstats values(eval(if(match(name,substr(name,0,9)), name, null()))) as student by grade
Data:
| class | name |
| class-1 | student-1-a |
| class-1 | student-1-b |
| class-1 | student-1-c |
| class-1 | student-2-a |
| class-1 | student-2-b |
| class-1 | student-2-c |
Expected result
| grade | name | student |
| A | student-1-a | student-1-a |
| student-1-b | ||
| student-1-c | ||
| A | student-1-b | student-1-a |
| student-1-b | ||
| student-1-c | ||
| A | student-1-c | student-1-a |
| student-1-b | ||
| student-1-c | ||
| A | student-2-a | student-2-a |
| student-2-b | ||
| student-2-c | ||
| A | student-2-b | student-2-a |
| student-2-b | ||
| student-2-c | ||
| A | student-2-c | student-2-a |
| student-2-b | ||
| student-2-c |
Currently here's the result with eventstats match condition
| grade | name | partialname | student |
| A | student-1-a | student-1 | student-1-a |
| student-1-b | |||
| student-1-c | |||
| student-2-a | |||
| student-2-b | |||
| student-2-c | |||
| A | student-1-b | student-1 | student-1-a |
| student-1-b | |||
| student-1-c | |||
| student-2-a | |||
| student-2-b | |||
| student-2-c | |||
| A | student-1-c | student-1 | student-1-a |
| student-1-b | |||
| student-1-c | |||
| student-2-a | |||
| student-2-b | |||
| student-2-c | |||
| A | student-2-a | student-2 | student-1-a |
| student-1-b | |||
| student-1-c | |||
| student-2-a | |||
| student-2-b | |||
| student-2-c | |||
| A | student-2-b | student-2 | student-1-a |
| student-1-b | |||
| student-1-c | |||
| student-2-a | |||
| student-2-b | |||
| student-2-c | |||
| A | student-2-c | student-2 | student-1-a |
| student-1-b | |||
| student-1-c | |||
| student-2-a | |||
| student-2-b | |||
| student-2-c |
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm a little unclear on your requirement, but your working eventstats example that gives you the "Expected result" of
| grade | name | student |
| A | student-1-a | student-1-a |
| student-1-b | ||
| student-1-c | ||
| A | student-1-b | student-1-a |
| student-1-b | ||
| student-1-c |
...
so you want all values of student-X-Y to be included for each combination of student-X-Y?
In that case, you don't need the match statement, so what is the issue?
Depending on the data volume, eventstats can be slower, so you could use this variant
...
| eval partialname=substr(name,0,9)
| stats values(name) as student by grade partialname
| eval name=student
| mvexpand namethat uses stats, which will be more efficient than eventstats, but then mvexpand will be slower, but you cna measure the performance if volume is an issue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @bowesmana
so you want all values of student-X-Y to be included for each combination of student-X-Y?
>> yes, like it is in the expected result
In that case, you don't need the match statement, so what is the issue?
>> I figured out after I posted this that I don't need the match statement, but I am curious if it also can be done using match statement. So, in this case it won't work using match statement, correct?
Thanks for your help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Correct, the match statement will break things because all events will all match the match key
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The values() statement requires 'eval', i.e.
| eventstats values(eval(if(match(name,"student-1"), name, null()))) as student by grade
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
