Solved: splunk query with if condition

Nith1 · ‎06-02-2021

Hi Team

i want to display the success and failure count for that i have only one field i.e

b_failed="false"

using this i could get the success count how can i get the count of jobs that are failed

Below is the query and it doesnt return the failure count

....|eval status=if(b_failed="false","success","failed")
|stats count(status) as count

can someone please correct me
Thanks

harsmarvania57 · ‎06-02-2021

Try this

|stats sum(eval(if(b_failed="false",1,0))) as success_count, sum(eval(if(b_failed="false",0,1))) as failed_count

View solution in original post

harsmarvania57 · ‎06-02-2021

Try this

|stats sum(eval(if(b_failed="false",1,0))) as success_count, sum(eval(if(b_failed="false",0,1))) as failed_count

isoutamo · ‎06-02-2021

Hi

check stats + eval from this page https://docs.splunk.com/Documentation/Splunk/8.2.0/SearchReference/Stats

I think that this is your solution.

r. Ismo

splunk query with if condition

count

fields

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Almost Too Eventful Assurance: Part 1

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Are you a member of the Splunk Community?