Solved: How to Count if the condition is true?

JIthesh_Kumar · ‎08-08-2023

Hi Team,

There are 2 fields added in my search. but it's searching for same value.

But i need a count of result where the search value present in field 1 and 2.

ITWhisperer · ‎08-08-2023

| stats count(eval(field1==field2)) as count

View solution in original post

wmuselle · ‎08-08-2023

depends what you want to do, as mentioned above if fields are equal (the whole field value is what you are searching for)

if not (i.e it is a particular word inside the field) here are some different examples depending what you want to do , the examples contain different functions that achieve more or less the same

assume you are looking for the word World in both fields:
using streamstats and if like:

| makeresults count=2
| streamstats c as c
| eval a=if(c==1,"Hello World","Hello Space"), b=if(c==1,"Ugly World","Pretty Space")
| fields - c
| streamstats sum(eval(if(like(a,"%World%"),if(like(b,"%World%"),1,0),0))) as streamstat

using just stats, here using match regex as a possible comparison tool:

| makeresults count=2
| streamstats c as c
| eval a=if(c==1,"Hello World","Hello Space"), b=if(c==1,"Ugly World","Pretty Space")
| fields - c
| stats count(eval(match(a.b,"(World).*(World)"))) as stats_count_word_exists

there are other options but this should get you started

ITWhisperer · ‎08-08-2023

| stats count(eval(field1==field2)) as count

How to Count if the condition is true?

dashboard

table

timechart

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Buttercup Games: Further Dashboarding Techniques (Part 5)

Customers Increasingly Choose Splunk for Observability