Solved: splunk query with if condition

Nith1 · ‎06-02-2021

Hi Team

i want to display the success and failure count for that i have only one field i.e

b_failed="false"

using this i could get the success count how can i get the count of jobs that are failed

Below is the query and it doesnt return the failure count

....|eval status=if(b_failed="false","success","failed")
|stats count(status) as count

can someone please correct me
Thanks

harsmarvania57 · ‎06-02-2021

Try this

|stats sum(eval(if(b_failed="false",1,0))) as success_count, sum(eval(if(b_failed="false",0,1))) as failed_count

View solution in original post

harsmarvania57 · ‎06-02-2021

Try this

|stats sum(eval(if(b_failed="false",1,0))) as success_count, sum(eval(if(b_failed="false",0,1))) as failed_count

isoutamo · ‎06-02-2021

Hi

check stats + eval from this page https://docs.splunk.com/Documentation/Splunk/8.2.0/SearchReference/Stats

I think that this is your solution.

r. Ismo

splunk query with if condition

count

fields

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation