Solved: the function sum(count) by xx field is not working

umsundar2015 · ‎10-25-2016

For me the below stats sum(count) by Asset_status provies no results .

eval Asset_status= if(Asset_Class=Server OR Asset_Type_Name=Server OR Asset_Class="" ,"Server",if( Asset_Class="eskto" OR Asset_Type_Name=Computer OR Asset_Type_Name="","Desktop","Others"))|stats sum(count) by Asset_status

Asset_status sum(count)
Desktop

Others

Server

May i please know the reason for this and how can i get the sum of counts values.

inventsekar · ‎10-25-2016

stats sum(count) is not needed. just stats count is fine.

    |stats count by Asset_status

eval Asset_status= if(Asset_Class=Server OR Asset_Type_Name=Server OR Asset_Class="" ,"Server",if( Asset_Class="eskto" OR Asset_Type_Name=Computer OR Asset_Type_Name="","Desktop","Others"))|stats count by Asset_status

View solution in original post

inventsekar · ‎10-25-2016

stats sum(count) is not needed. just stats count is fine.

    |stats count by Asset_status

eval Asset_status= if(Asset_Class=Server OR Asset_Type_Name=Server OR Asset_Class="" ,"Server",if( Asset_Class="eskto" OR Asset_Type_Name=Computer OR Asset_Type_Name="","Desktop","Others"))|stats count by Asset_status

inventsekar · ‎10-26-2016

Hi Umsundar, may i know if this issue got resolved, can you please mark it as accepted answer..

cmerriman · ‎10-25-2016

also, you can use case instead of a nested if

...|eval Asset_status= case(Asset_Class=Server OR Asset_Type_Name=Server OR Asset_Class="" ,"Server", Asset_Class="eskto" OR Asset_Type_Name=Computer OR Asset_Type_Name="","Desktop",1=1,"Others")|stats count by Asset_status

the function sum(count) by xx field is not working

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio