Solved: Cab a field be used in stats command that's declar...

gokikrishnan · ‎12-23-2018

How do i write a query to get the above result? I have tried the following things.
1) I have tried to group by TestField in a table
2) Tried converting the C to string again as it can be used in stats command again.

Request you to assist me with regard to the same.

renjith_nair · ‎12-24-2018

@gokikrishnan,
Not sure whether understand you correctly, but based on your inputs, this should give you the expected result

Your current search to get TF,C,B,A|replace TF* with T* in TF|table TF,C,B

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

woodcock · ‎01-01-2019

Your descriptions (I have read all of them) make no sense at all. Show is some sample events, show us a mockup of the desired final output and THEN try to explain the steps required to get from data to final output.

renjith_nair · ‎12-24-2018

@gokikrishnan,
Not sure whether understand you correctly, but based on your inputs, this should give you the expected result

Your current search to get TF,C,B,A|replace TF* with T* in TF|table TF,C,B

---
What goes around comes around. If it helps, hit it with Karma 🙂

gokikrishnan · ‎12-25-2018

I got answer for the same. Thanks Renjith and All.

DalJeanis · ‎12-31-2018

@gokikrishnan - We converted the apparently correct comment to an answer. Please accept the answer if that is what got you your solution. If not, then please post your own solution, so that others may benefit, and accept your own answer. Thanks!

gokikrishnan · ‎12-25-2018

Let me explain again clearly,

TFN=Test Field Name, TFE1=TestFieldEntry, TFE2=TestFieldEntry,
C=Field found out from Eval, A=Count of values that is found with based on available fields, B=Count of values that is found with based on available fields. TF has two types of entries. They are TF1 and TF2 respectively.

C is calculated like C=A-B. Used the below query.

I need to get the values of C and B using the by clause grouped by TFN to get the result in the following manner.
TFN C B
TFE1 1 2
TFE2 4 5

Please tell me whether you understand this explanation.

renjith_nair · ‎12-23-2018

@gokikrishnan, trying to understand your requirement in bit more detail

The first result looks like A+B and not A-B.
Do you want to convert the first result to second result or do you have already some events which we can look at?
Please provide some sample events and the expected output

---
What goes around comes around. If it helps, hit it with Karma 🙂

gokikrishnan · ‎12-24-2018

My Bad, Gave the requirement incorrectly. Sorry.
Here A is Total, I have found B. To find C, I do C=A-B, As of now I am able to get the result as follows:
TF C B A
TF1 1 2 3
TF2 4 5 9
Actually need the query to be displayed as follows:
TF C B
T1 1 2
T2 4 5

Cab a field be used in stats command that's declared in eval command?

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk