Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

getting stats from a query where match is found.

surekhasplunk
Communicator
‎01-12-2018 05:41 AM

Hi,

| rest /services/authentication/users splunk_server=local | search [| rest /services/authentication/current-context | rename username as title | fields title]|fields title |map [search index=summary |search "requester_name"=Tom | stats count by "Delivery Area"]

I am using above query which is giving me result count 3 which is correct as i have 3 rows for the delivery area to which the requester name Tom belong to.

But my requirement is now i want to get the total count 10 which is the total count of rows the particular "Delivery Area" has.
The "Delivery Area" name say suppose Cloud_platform has a total of 10 rows in the summary index.
So when i login as user Tom since i belong to Cloud_platform can i just take the delivery area name corresponding to my name but get count of all the persons in the delivery area.

thanks

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎01-12-2018 06:29 AM

If I'm understanding your requirements correctly, you want to change this part of your search

| map 
  [ search index=summary 
    | search "requester_name"=$title$
    | stats count by "Delivery Area"]

to use some logic that finds the value of "Delivery Area" for the user with requester_name=$title$ and then counts all events with that "Delivery Area". If so, this should do the trick:

| map 
   [ search index=summary 
     | eval relevant_area=if("requester_name"="$title$", 'Delivery Area', NULL)
     | eventstats max(relevant_area) AS relevant_area
     | stats count(eval(relevant_area='Delivery Area')) AS count BY "Delivery Area" ]

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎01-12-2018 06:29 AM

If I'm understanding your requirements correctly, you want to change this part of your search

| map 
  [ search index=summary 
    | search "requester_name"=$title$
    | stats count by "Delivery Area"]

to use some logic that finds the value of "Delivery Area" for the user with requester_name=$title$ and then counts all events with that "Delivery Area". If so, this should do the trick:

| map 
   [ search index=summary 
     | eval relevant_area=if("requester_name"="$title$", 'Delivery Area', NULL)
     | eventstats max(relevant_area) AS relevant_area
     | stats count(eval(relevant_area='Delivery Area')) AS count BY "Delivery Area" ]
0 Karma
Reply
Solved! Jump to solution

surekhasplunk
Communicator
‎01-12-2018 07:37 AM

Hi @elliotproebstel

Thanks got it working ...but i have a problem with pattern matching can you please help me with that.

| eval relevant_area=if(match(lower('requester_name'),"%$title$%"), 'Delivery Area', NULL)
| eventstats max(relevant_area) AS relevant_area | stats count(eval(relevant_area='Delivery Area')) AS count BY "Delivery Area"

because the requester_name looks like this Tom Williams but my variable title has got value like this tom

0 Karma
Reply
Solved! Jump to solution

elliotproebstel
Champion
‎01-12-2018 08:30 AM

Sure thing. I think it will work if you replace match with like:

| eval relevant_area=if(like(lower(requester_name),"%$title$%"), 'Delivery Area', NULL)

Note: It makes no difference to include single quotes around a field name that does not contain spaces, so I removed them from around requester_name.

0 Karma
Reply
Solved! Jump to solution

elliotproebstel
Champion
‎01-12-2018 08:33 AM

FYI, the match function uses regex to compare the first and second options.
http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/ConditionalFunctions#match.28...

The like function performs pattern matching and uses the % character as a wildcard.
http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/ConditionalFunctions#like.28T...

0 Karma
Reply
Solved! Jump to solution

micahkemp
Champion
‎01-12-2018 08:07 AM

Don't forget to accept the answer if you consider it correct and helpful.

0 Karma
Reply
Solved! Jump to solution

elliotproebstel
Champion
‎01-12-2018 08:04 AM

Glad to help!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...