Splunk Search

eventstats with conditions

LearningGuy
Builder

Hello,

Is it possible to use eventstats with conditions?
For example:
I only want to apply eventstats only if field name contains "student-1"

| eventstats values(if(match(name,"student-1"), name, null())) as student by  grade

Please suggest.

Thanks

Labels (3)
Tags (1)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

The values() statement requires 'eval', i.e.

| eventstats values(eval(if(match(name,"student-1"), name, null()))) as student by  grade

View solution in original post

LearningGuy
Builder

Hello @bowesmana 

The eval match condition worked, but it didn't give me the result I expected.

Is it possible to use "eventstat match condition" to group the student based on partialname?

Do you think moving to evenstat makes the search more efficient? 
I appreciate your help. Thank you so much

without "eventstat match condition" - it worked

 

| makeresults format=csv data="grade,name
A,student-1-a
A,student-1-b
A,student-1-c
A,student-2-a
A,student-2-b
A,student-2-c"
| eval partialname=substr(name,0,9)
| eventstats values(name) as student by partialname

 



with "eventstat match condition" - it didn't work

 

| makeresults format=csv data="grade,name
A,student-1-a
A,student-1-b
A,student-1-c
A,student-2-a
A,student-2-b
A,student-2-c"
| eval partialname=substr(name,0,9)
| eventstats values(eval(if(match(name,substr(name,0,9)), name, null()))) as student by  grade

 


Data:

classname
class-1student-1-a
class-1student-1-b
class-1student-1-c
class-1student-2-a
class-1student-2-b
class-1student-2-c


Expected result

gradenamestudent
Astudent-1-astudent-1-a
  student-1-b
  student-1-c
Astudent-1-bstudent-1-a
  student-1-b
  student-1-c
Astudent-1-cstudent-1-a
  student-1-b
  student-1-c
Astudent-2-astudent-2-a
  student-2-b
  student-2-c
Astudent-2-bstudent-2-a
  student-2-b
  student-2-c
Astudent-2-cstudent-2-a
  student-2-b
  student-2-c


Currently here's the result with eventstats match condition

gradenamepartialnamestudent
Astudent-1-astudent-1student-1-a
   student-1-b
   student-1-c
   student-2-a
   student-2-b
   student-2-c
Astudent-1-bstudent-1student-1-a
   student-1-b
   student-1-c
   student-2-a
   student-2-b
   student-2-c
Astudent-1-cstudent-1student-1-a
   student-1-b
   student-1-c
   student-2-a
   student-2-b
   student-2-c
Astudent-2-astudent-2student-1-a
   student-1-b
   student-1-c
   student-2-a
   student-2-b
   student-2-c
Astudent-2-bstudent-2student-1-a
   student-1-b
   student-1-c
   student-2-a
   student-2-b
   student-2-c
Astudent-2-cstudent-2student-1-a
   student-1-b
   student-1-c
   student-2-a
   student-2-b
   student-2-c



0 Karma

bowesmana
SplunkTrust
SplunkTrust

I'm a little unclear on your requirement, but your working eventstats example that gives you the "Expected result" of

gradenamestudent
Astudent-1-astudent-1-a
  student-1-b
  student-1-c
Astudent-1-bstudent-1-a
  student-1-b
  student-1-c

...

so you want all values of student-X-Y to be included for each combination of student-X-Y?

In that case, you don't need the match statement, so what is the issue?

Depending on the data volume, eventstats can be slower, so you could use this variant

...
| eval partialname=substr(name,0,9)
| stats values(name) as student by grade partialname
| eval name=student
| mvexpand name

that uses stats, which will be more efficient than eventstats, but then mvexpand will be slower, but you cna measure the performance if volume is an issue.

LearningGuy
Builder

Hi @bowesmana 

so you want all values of student-X-Y to be included for each combination of student-X-Y?
>> yes, like it is in the expected result

In that case, you don't need the match statement, so what is the issue?
>> I figured out after I posted this that I don't need the match statement, but I am curious if it also can be done  using match statement.  So, in this case it won't work using match statement, correct?


Thanks for your help.

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Correct, the match statement will break things because all events will all match the match key

bowesmana
SplunkTrust
SplunkTrust

The values() statement requires 'eval', i.e.

| eventstats values(eval(if(match(name,"student-1"), name, null()))) as student by  grade
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...