I'm trying to count the number of occurrences of a field WITH values and the number of the same field WITHOUT values in the same search. I can't seem to return any counts for either eval statement. I am using HUNK.
base search | eval zip=(if(NOT LOCATION.postalCode="*",1,0)) | stats sum(zip) as count | eval noZip=(if(LOCATION.postalCode="*",1,0)) | stats sum(noZip)
Try this:
base search | stats count AS total, count(eval(isnull(LOCATION.postalCode))) AS noZip | eval Zip = count - noZip
Couple of options you could try
base search | eval zip=if(LOCATION.postalCode="*", 1, 0) | stats count(eval(zip=1)) as wzip count(eval(zip=0)) as nozip
OR
base search | stats count(eval(LOCATION.postalCode="*") as zip count as total | eval nozip=total-zip
I don't have experience with Hunk, but using just core Splunk would something like this work?
base search | stats count(LOCATION.postalCode) as countWith count(eval(isnull(LOCATION.postalCode))) as countWithout
Alternatively if you need to use your evals and sums, if you move both evals to before the stats you could do both sums in one stats
base search | eval zip=... | eval noZip=... | stats sum(zip) as count sum(noZip)
This is close..except the
count(eval(isnull(LOCATION.postalCode)))
statement still brings in records with the LOCATION.postalCode field. How can I incorporate a WHERE isnull(LOCATION.postalCode) into the eval?
not sure why but it's not displaying correctly but in my query I do have an * between the quotes in both statements
Answers uses markdown for formatting, so without indenting 4 spaces it was intrepreting the *
as markers for italics. but if you indent 4 spaces, it becomes a code block... https://daringfireball.net/projects/markdown/syntax