Splunk Search

How To Count A Field In 3 New Fields And Table Them Together?

vtsguerrero
Contributor

I have a field called "Status" and I wanna count when Status=P, when Status=I, when Status=E and then use the command | table _time, P, I, E
In my database they're all just one field, I kinda have to create 3 new fields splitting'em...
Thanks in advance!

Tags (4)
0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi vtsguerrero,

take this run everywhere example and adapt it to your needs:

index=_internal | stats count(eval(like(sourcetype, "splunkd"))) AS P count(eval(like(sourcetype, "%web%"))) AS I

This will count sourcetype="splunkd" as P and sourcetype="*web*" as I. So if you use this on the Status field in your case.

hope this helps to get you started ...

cheers, MuS

View solution in original post

vtsguerrero
Contributor

The result table should be something like this:

| table _time, Channel, Code, StatusP, StatusI, StatusE

but the Status field in my database is only one field. I need to count and store'em individually

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi vtsguerrero,

take this run everywhere example and adapt it to your needs:

index=_internal | stats count(eval(like(sourcetype, "splunkd"))) AS P count(eval(like(sourcetype, "%web%"))) AS I

This will count sourcetype="splunkd" as P and sourcetype="*web*" as I. So if you use this on the Status field in your case.

hope this helps to get you started ...

cheers, MuS

vtsguerrero
Contributor

Thanks a lot @MuS !

I knew how to the count, but for only one field, first time I use three fields at once, worked liked a charm! Tks!

0 Karma

vtsguerrero
Contributor

Forgot to mention that I may have other fields in my table grid query....

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...