Hello,
I'm trying to create a splunk query that will enable me to display the count of the TRUE and FALSE values of an operation. Can anybody help with this?
The output I'm expecting to display is something like the following.
Time Operation Success=True Success=False
10AM ABC 20 0
11AM ABC 30 5
12AM ABC 30 0
Thank You!
your query|chart count(eval(<field>=TRUE)) AS Success=True, count(eval(<field>=FALSE)) AS Success=False by Time Operation
your query|chart count(eval(<field>=TRUE)) AS Success=True, count(eval(<field>=FALSE)) AS Success=False by Time Operation
This syntax doesn't work for me. Is there something missing? I'm v6.2.
index= |chart count(eval(="TRUE")) AS Success=True, count(eval(="FALSE")) AS Success=False by hostname
Error in 'chart' command: The specifier 'AS' is invalid. It must be in form (). For example: max(size).
The search job has failed due to an error. You may be able view the job in the Job Inspector.
this was the typo error from me
Thank you for your answer! The only change I made is for the following commands -
count(eval(
the value should be inside quotes.
count(eval(