Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

eventstats with conditions

LearningGuy
Builder
‎06-11-2024 07:35 PM

Hello,

Is it possible to use eventstats with conditions?
For example:
I only want to apply eventstats only if field name contains "student-1"

| eventstats values(if(match(name,"student-1"), name, null())) as student by  grade

Please suggest.

Thanks

Labels (2)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎06-11-2024 09:34 PM

The values() statement requires 'eval', i.e.

| eventstats values(eval(if(match(name,"student-1"), name, null()))) as student by  grade

View solution in original post

Reply
Solved! Jump to solution

LearningGuy
Builder
‎06-13-2024 04:54 AM

Hello @bowesmana 

The eval match condition worked, but it didn't give me the result I expected.

Is it possible to use "eventstat match condition" to group the student based on partialname?

Do you think moving to evenstat makes the search more efficient? 
I appreciate your help. Thank you so much

without "eventstat match condition" - it worked

 

| makeresults format=csv data="grade,name
A,student-1-a
A,student-1-b
A,student-1-c
A,student-2-a
A,student-2-b
A,student-2-c"
| eval partialname=substr(name,0,9)
| eventstats values(name) as student by partialname

 



with "eventstat match condition" - it didn't work

 

| makeresults format=csv data="grade,name
A,student-1-a
A,student-1-b
A,student-1-c
A,student-2-a
A,student-2-b
A,student-2-c"
| eval partialname=substr(name,0,9)
| eventstats values(eval(if(match(name,substr(name,0,9)), name, null()))) as student by  grade

 


Data:

classname
class-1student-1-a
class-1student-1-b
class-1student-1-c
class-1student-2-a
class-1student-2-b
class-1student-2-c


Expected result

gradenamestudent
Astudent-1-astudent-1-a
  student-1-b
  student-1-c
Astudent-1-bstudent-1-a
  student-1-b
  student-1-c
Astudent-1-cstudent-1-a
  student-1-b
  student-1-c
Astudent-2-astudent-2-a
  student-2-b
  student-2-c
Astudent-2-bstudent-2-a
  student-2-b
  student-2-c
Astudent-2-cstudent-2-a
  student-2-b
  student-2-c


Currently here's the result with eventstats match condition

gradenamepartialnamestudent
Astudent-1-astudent-1student-1-a
   student-1-b
   student-1-c
   student-2-a
   student-2-b
   student-2-c
Astudent-1-bstudent-1student-1-a
   student-1-b
   student-1-c
   student-2-a
   student-2-b
   student-2-c
Astudent-1-cstudent-1student-1-a
   student-1-b
   student-1-c
   student-2-a
   student-2-b
   student-2-c
Astudent-2-astudent-2student-1-a
   student-1-b
   student-1-c
   student-2-a
   student-2-b
   student-2-c
Astudent-2-bstudent-2student-1-a
   student-1-b
   student-1-c
   student-2-a
   student-2-b
   student-2-c
Astudent-2-cstudent-2student-1-a
   student-1-b
   student-1-c
   student-2-a
   student-2-b
   student-2-c



0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎06-13-2024 06:46 PM

I'm a little unclear on your requirement, but your working eventstats example that gives you the "Expected result" of

gradenamestudent
Astudent-1-astudent-1-a
  student-1-b
  student-1-c
Astudent-1-bstudent-1-a
  student-1-b
  student-1-c

...

so you want all values of student-X-Y to be included for each combination of student-X-Y?

In that case, you don't need the match statement, so what is the issue?

Depending on the data volume, eventstats can be slower, so you could use this variant

...
| eval partialname=substr(name,0,9)
| stats values(name) as student by grade partialname
| eval name=student
| mvexpand name

that uses stats, which will be more efficient than eventstats, but then mvexpand will be slower, but you cna measure the performance if volume is an issue.

Reply
Solved! Jump to solution

LearningGuy
Builder
‎06-14-2024 05:07 AM

Hi @bowesmana 

so you want all values of student-X-Y to be included for each combination of student-X-Y?
>> yes, like it is in the expected result

In that case, you don't need the match statement, so what is the issue?
>> I figured out after I posted this that I don't need the match statement, but I am curious if it also can be done  using match statement.  So, in this case it won't work using match statement, correct?


Thanks for your help.

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎06-16-2024 05:58 PM

Correct, the match statement will break things because all events will all match the match key

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎06-11-2024 09:34 PM

The values() statement requires 'eval', i.e.

| eventstats values(eval(if(match(name,"student-1"), name, null()))) as student by  grade
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...
Top