Solved: splunk query with if condition

Nith1 · ‎06-02-2021

Hi Team

i want to display the success and failure count for that i have only one field i.e

b_failed="false"

using this i could get the success count how can i get the count of jobs that are failed

Below is the query and it doesnt return the failure count

....|eval status=if(b_failed="false","success","failed")
|stats count(status) as count

can someone please correct me
Thanks

harsmarvania57 · ‎06-02-2021

Try this

|stats sum(eval(if(b_failed="false",1,0))) as success_count, sum(eval(if(b_failed="false",0,1))) as failed_count

View solution in original post

harsmarvania57 · ‎06-02-2021

Try this

|stats sum(eval(if(b_failed="false",1,0))) as success_count, sum(eval(if(b_failed="false",0,1))) as failed_count

isoutamo · ‎06-02-2021

Hi

check stats + eval from this page https://docs.splunk.com/Documentation/Splunk/8.2.0/SearchReference/Stats

I think that this is your solution.

r. Ismo

splunk query with if condition

count

fields

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Join the Conversation