Solved: Query to display count boolean fields as seperate ...

dreamygguy · ‎09-06-2013

Hello,
I'm trying to create a splunk query that will enable me to display the count of the TRUE and FALSE values of an operation. Can anybody help with this?

The output I'm expecting to display is something like the following.

Time  Operation   Success=True  Success=False 
10AM  ABC         20            0
11AM  ABC         30            5
12AM  ABC         30            0

Thank You!

kml_uvce · ‎09-06-2013

your query|chart count(eval(<field>=TRUE)) AS Success=True,  count(eval(<field>=FALSE)) AS Success=False by Time Operation

View solution in original post

kml_uvce · ‎09-06-2013

your query|chart count(eval(<field>=TRUE)) AS Success=True,  count(eval(<field>=FALSE)) AS Success=False by Time Operation

proletariat99 · ‎04-02-2015

This syntax doesn't work for me. Is there something missing? I'm v6.2.

index= |chart count(eval(="TRUE")) AS Success=True, count(eval(="FALSE")) AS Success=False by hostname

Error in 'chart' command: The specifier 'AS' is invalid. It must be in form (). For example: max(size).

The search job has failed due to an error. You may be able view the job in the Job Inspector.

kml_uvce · ‎09-06-2013

this was the typo error from me

dreamygguy · ‎09-06-2013

Thank you for your answer! The only change I made is for the following commands -

count(eval(=TRUE)), count(eval(=FALSE))

the value should be inside quotes.

count(eval(="TRUE")) , count(eval(="FALSE"))

Query to display count boolean fields as seperate columns

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...