Splunk Search

Query to display count boolean fields as seperate columns

dreamygguy
New Member

Hello,
I'm trying to create a splunk query that will enable me to display the count of the TRUE and FALSE values of an operation. Can anybody help with this?

The output I'm expecting to display is something like the following.

Time  Operation   Success=True  Success=False 
10AM  ABC         20            0
11AM  ABC         30            5
12AM  ABC         30            0

Thank You!

Tags (3)
0 Karma
1 Solution

kml_uvce
Builder
your query|chart count(eval(<field>=TRUE)) AS Success=True,  count(eval(<field>=FALSE)) AS Success=False by Time Operation

View solution in original post

kml_uvce
Builder
your query|chart count(eval(<field>=TRUE)) AS Success=True,  count(eval(<field>=FALSE)) AS Success=False by Time Operation

proletariat99
Communicator

This syntax doesn't work for me. Is there something missing? I'm v6.2.

index= |chart count(eval(="TRUE")) AS Success=True, count(eval(="FALSE")) AS Success=False by hostname

Error in 'chart' command: The specifier 'AS' is invalid. It must be in form (). For example: max(size).

The search job has failed due to an error. You may be able view the job in the Job Inspector.

0 Karma

kml_uvce
Builder

this was the typo error from me

0 Karma

dreamygguy
New Member

Thank you for your answer! The only change I made is for the following commands -

count(eval(=TRUE)), count(eval(=FALSE))

the value should be inside quotes.

count(eval(="TRUE")) , count(eval(="FALSE"))

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...