- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- eventstats with conditions
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Is it possible to use eventstats with conditions?
For example:
I only want to apply eventstats only if field name contains "student-1"
| eventstats values(if(match(name,"student-1"), name, null())) as student by grade
Please suggest.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The values() statement requires 'eval', i.e.
| eventstats values(eval(if(match(name,"student-1"), name, null()))) as student by grade- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @bowesmana
The eval match condition worked, but it didn't give me the result I expected.
Is it possible to use "eventstat match condition" to group the student based on partialname?
Do you think moving to evenstat makes the search more efficient?
I appreciate your help. Thank you so much
without "eventstat match condition" - it worked
| makeresults format=csv data="grade,name
A,student-1-a
A,student-1-b
A,student-1-c
A,student-2-a
A,student-2-b
A,student-2-c"
| eval partialname=substr(name,0,9)
| eventstats values(name) as student by partialname
with "eventstat match condition" - it didn't work
| makeresults format=csv data="grade,name
A,student-1-a
A,student-1-b
A,student-1-c
A,student-2-a
A,student-2-b
A,student-2-c"
| eval partialname=substr(name,0,9)
| eventstats values(eval(if(match(name,substr(name,0,9)), name, null()))) as student by grade
Data:
| class | name |
| class-1 | student-1-a |
| class-1 | student-1-b |
| class-1 | student-1-c |
| class-1 | student-2-a |
| class-1 | student-2-b |
| class-1 | student-2-c |
Expected result
| grade | name | student |
| A | student-1-a | student-1-a |
| student-1-b | ||
| student-1-c | ||
| A | student-1-b | student-1-a |
| student-1-b | ||
| student-1-c | ||
| A | student-1-c | student-1-a |
| student-1-b | ||
| student-1-c | ||
| A | student-2-a | student-2-a |
| student-2-b | ||
| student-2-c | ||
| A | student-2-b | student-2-a |
| student-2-b | ||
| student-2-c | ||
| A | student-2-c | student-2-a |
| student-2-b | ||
| student-2-c |
Currently here's the result with eventstats match condition
| grade | name | partialname | student |
| A | student-1-a | student-1 | student-1-a |
| student-1-b | |||
| student-1-c | |||
| student-2-a | |||
| student-2-b | |||
| student-2-c | |||
| A | student-1-b | student-1 | student-1-a |
| student-1-b | |||
| student-1-c | |||
| student-2-a | |||
| student-2-b | |||
| student-2-c | |||
| A | student-1-c | student-1 | student-1-a |
| student-1-b | |||
| student-1-c | |||
| student-2-a | |||
| student-2-b | |||
| student-2-c | |||
| A | student-2-a | student-2 | student-1-a |
| student-1-b | |||
| student-1-c | |||
| student-2-a | |||
| student-2-b | |||
| student-2-c | |||
| A | student-2-b | student-2 | student-1-a |
| student-1-b | |||
| student-1-c | |||
| student-2-a | |||
| student-2-b | |||
| student-2-c | |||
| A | student-2-c | student-2 | student-1-a |
| student-1-b | |||
| student-1-c | |||
| student-2-a | |||
| student-2-b | |||
| student-2-c |
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm a little unclear on your requirement, but your working eventstats example that gives you the "Expected result" of
| grade | name | student |
| A | student-1-a | student-1-a |
| student-1-b | ||
| student-1-c | ||
| A | student-1-b | student-1-a |
| student-1-b | ||
| student-1-c |
...
so you want all values of student-X-Y to be included for each combination of student-X-Y?
In that case, you don't need the match statement, so what is the issue?
Depending on the data volume, eventstats can be slower, so you could use this variant
...
| eval partialname=substr(name,0,9)
| stats values(name) as student by grade partialname
| eval name=student
| mvexpand namethat uses stats, which will be more efficient than eventstats, but then mvexpand will be slower, but you cna measure the performance if volume is an issue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @bowesmana
so you want all values of student-X-Y to be included for each combination of student-X-Y?
>> yes, like it is in the expected result
In that case, you don't need the match statement, so what is the issue?
>> I figured out after I posted this that I don't need the match statement, but I am curious if it also can be done using match statement. So, in this case it won't work using match statement, correct?
Thanks for your help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Correct, the match statement will break things because all events will all match the match key
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The values() statement requires 'eval', i.e.
| eventstats values(eval(if(match(name,"student-1"), name, null()))) as student by grade
New Case Study Shows the Value of Partnering with Splunk Academic Alliance
How to Monitor Google Kubernetes Engine (GKE)
Index This | How can you make 45 using only 4?
