Solved: splunk query with if condition

Nith1 · ‎06-02-2021

Hi Team

i want to display the success and failure count for that i have only one field i.e

b_failed="false"

using this i could get the success count how can i get the count of jobs that are failed

Below is the query and it doesnt return the failure count

....|eval status=if(b_failed="false","success","failed")
|stats count(status) as count

can someone please correct me
Thanks

harsmarvania57 · ‎06-02-2021

Try this

|stats sum(eval(if(b_failed="false",1,0))) as success_count, sum(eval(if(b_failed="false",0,1))) as failed_count

View solution in original post

harsmarvania57 · ‎06-02-2021

Try this

|stats sum(eval(if(b_failed="false",1,0))) as success_count, sum(eval(if(b_failed="false",0,1))) as failed_count

isoutamo · ‎06-02-2021

Hi

check stats + eval from this page https://docs.splunk.com/Documentation/Splunk/8.2.0/SearchReference/Stats

I think that this is your solution.

r. Ismo

splunk query with if condition

count

fields

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

Join the Conversation