Solved: How To Count A Field In 3 New Fields And Table The...

vtsguerrero · ‎09-18-2014

I have a field called "Status" and I wanna count when Status=P, when Status=I, when Status=E and then use the command | table _time, P, I, E
In my database they're all just one field, I kinda have to create 3 new fields splitting'em...
Thanks in advance!

MuS · ‎09-18-2014

Hi vtsguerrero,

take this run everywhere example and adapt it to your needs:

index=_internal | stats count(eval(like(sourcetype, "splunkd"))) AS P count(eval(like(sourcetype, "%web%"))) AS I

This will count sourcetype="splunkd" as P and sourcetype="*web*" as I. So if you use this on the Status field in your case.

hope this helps to get you started ...

cheers, MuS

View solution in original post

vtsguerrero · ‎09-18-2014

The result table should be something like this:

| table _time, Channel, Code, StatusP, StatusI, StatusE

but the Status field in my database is only one field. I need to count and store'em individually

MuS · ‎09-18-2014

Hi vtsguerrero,

take this run everywhere example and adapt it to your needs:

index=_internal | stats count(eval(like(sourcetype, "splunkd"))) AS P count(eval(like(sourcetype, "%web%"))) AS I

This will count sourcetype="splunkd" as P and sourcetype="*web*" as I. So if you use this on the Status field in your case.

hope this helps to get you started ...

cheers, MuS

vtsguerrero · ‎09-18-2014

Thanks a lot @MuS !

I knew how to the count, but for only one field, first time I use three fields at once, worked liked a charm! Tks!

vtsguerrero · ‎09-18-2014

Forgot to mention that I may have other fields in my table grid query....

How To Count A Field In 3 New Fields And Table Them Together?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life