Hi, thank-you so much for your reply ... unfortunately, I could not get this query to work, and I think the reason is that one of the closing brackets is in the wrong place. I tried a number of changes, but none of them worked. However, you did confirm what I thought, which was that the ‘eval’ command is the way to address this particular requirement. I looked at the training material that I got from the ‘Searching and Reporting with Splunk’ training course, and used one of the examples to produce the following query (the ‘NOT Customer’ parts of the query are to exclude 3 customers where the SLA data is not present in the ‘crspcalls’ sourcetype):
(Bizarrely, the asterisk symbol won't display properly here, so I've used the word 'asterisk' instead)
sourcetype=crspcalls NOT Customer="CustomerA" AND NOT Customer="CustomerB" AND NOT Customer="CustomerC"
| stats
count(eval(Conformance="1" AND Override!="asterisk")) as Met,
count(eval(Conformance="0" AND Override="asterisk")) as Overridden,
count(eval(Conformance="0" AND Override!="asterisk")) as Failed
That query ran without producing any errors, but I could see that the results were not accurate at all. So the query results were 3 columns on the ‘Statistics’ tab (Met, Overridden and Failed), but the results were completely inaccurate. If I changed the 2 instances of
AND Override!="asterisk"
to
AND NOT Override="asterisk"
the query produced different results, but again, completely inaccurate results.
I realised that the issue was with the searching the Override field using the asterisk symbol, as if I listed all the possible values that exist in the Override field, as in the following example, the results were accurate.
sourcetype=crspcalls NOT Customer="CustomerA" AND NOT Customer="CustomerB" AND NOT Customer="CustomerC"
| stats
count(eval(Conformance="1" AND NOT Override="NF"
AND NOT Override="HU"
AND NOT Override="NF-CHARGE"
)) as Met,
count(eval(Conformance="0" AND Override="NF"
OR Override="HU"
OR Override="NF-CHARGE"
)) as Overridden,
count(eval(Conformance="0" AND NOT Override="NF"
AND NOT Override="HU"
AND NOT Override="NF-CHARGE"
)) as Failed
I’ve only listed 3 of the possible values that exist in the Override field, but there are in fact 36 possible values. As you can imagine, the query with all 36 possible values listed 3 times is a bit of a monster query!
Can you suggest what the problems is with the asterisk symbol, or can you see where the problem is with the misplaced closing bracket in your original suggestion?
... View more