Hi Tom, The reason you're having an issue here is you're using "comparison" which is a string value - get rid of the double quotes and it will reference the field. I've had a play using the below S...
See more...
Hi Tom, The reason you're having an issue here is you're using "comparison" which is a string value - get rid of the double quotes and it will reference the field. I've had a play using the below SPL to create some sample data and I think it now gives the result expected? | makeresults
| eval _raw = "[{\"integrationName\":\"Opsgenie Edge Connector - Splunk\",\"alert\":{\"message\":\"[ThousandEyes] Alert for TMS Core Healthcheck\",\"id\":\"abc123xyz\"},\"action\":\"Create\"},{\"integrationName\":\"Opsgenie Edge Connector - Splunk\",\"alert\":{\"message\":\"[ThousandEyes] Alert for TMS Core Healthcheck\",\"id\":\"abc123xyz\"},\"action\":\"Close\"},{\"integrationName\":\"Opsgenie Edge Connector - Splunk\",\"alert\":{\"message\":\"[ThousandEyes] Alert for TMS Core Healthcheck\",\"id\":\"def456uvw\"},\"action\":\"Create\"},{\"integrationName\":\"Opsgenie Edge Connector - Splunk\",\"alert\":{\"message\":\"[ThousandEyes] Alert for TMS Core Healthcheck\",\"id\":\"def456uvw\"},\"action\":\"Close\"},{\"integrationName\":\"Opsgenie Edge Connector - Splunk\",\"alert\":{\"message\":\"[ThousandEyes] Alert for TMS Core Healthcheck\",\"id\":\"ghi789rst\"},\"action\":\"Create\"}]"
| eval events=json_array_to_mv(_raw)
| mvexpand events
| eval _raw=events
| fields _raw
| spath
``` Prep work complete ```
| eval Create=IF(action=="Create",1,0)
| eval Close=IF(action=="Close",1,0)
| stats sum(Create) as isCreate, sum(Close) as isClose by alert.id
| eval comparison=IF(isCreate>isClose,"1", "0")
| stats sum(comparison) as Sum count(comparison) as Count
| eval Application = "TMS_API"
| eval test = Sum
| eval test1 = Count
| eval test2 = Application
| eval "Monitor Details" = "Performs a Health Check "
| table test, test1, test2 , "Monitor Details" Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped. Regards Will