Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

STATS COUNT on same field before and after WHERE / Condition?

vaibhavvijay9
New Member
‎02-14-2019 11:15 AM

Hi All,

What I want is :

  1. Total no. of queues and total no. of queues with pending messages.
    Something like this :

    .... | xmlkv | table _time, qName, pendingMsgs | stats count(qName) as totalQueues | stats count(qName) where pendingMsgs > 0 as queuesWithPendingMessages
    I want to achieve the working of last pipe and also save the values to calculate the percentage.

Or Output to be like this :

totalQueues = 15
queuesWithPendingMessages = 4
Percentage (queuesWithPendingMessages / totalQueues) x 100 = 26.66

Please help.

Thanks in advance.

Tags (1)
0 Karma
Reply

vaibhavvijay9
New Member
‎02-14-2019 11:26 AM

Got it!
Here is the solution :

.... | xmlkv | table _time, qName, pendingMsgs | stats count(qName) as totalQueues, count(eval(pendingMsgs > 0)) as queuesWithPendingMessages | eval percentage=(queuesWithPendingMessages/totalQueues)*100

But is it fully (logically) correct? Please share your views.

Awaiting your response.
Thanks!

0 Karma
Reply

chrisyounger
SplunkTrust
SplunkTrust
‎02-14-2019 11:24 AM

Try this:

.... 
| xmlkv 
| table _time, qName, pendingMsgs 
| eval hasPending = (pendingMsgs > 0,1,0)
| stats count(qName) as totalQueues sum(hasPending) as queuesWithPendingMessages
| eval percentage = (queuesWithPendingMessages / totalQueues) * 100

Hope it helps!

0 Karma
Reply

vaibhavvijay9
New Member
‎02-14-2019 11:38 AM

Hi @chrisyoungerjds,

Thanks a lot for the quick response!

Your provided string is displaying error as :

Error in 'eval' command: The expression is malformed. Expected ).

However, I have got the solution while trying it by myself, and I have posted it here as answer.

But is it fully (logically) correct? Please share your views.

Awaiting your response.
Thanks again.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...