Splunk Search

How can I count both events that are tagged and those that aren't?

Phil219
Path Finder

I currently use the following to count the number of names that are tagged as cool:

... tag::cool | stats dc("Name")

This gives me a count of cool kids. I would like to compare the number of kids that are "cool" with those that are not cool. Any ideas how I can get those two numbers?

Tags (3)
0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi Phil219,

you can do something like this:

  tag::cool OR tag::uncool | stats count(eval(tag="cool")) AS cool count(eval(tag="uncool")) AS uncool count AS total

to get a count of cool things, uncool things and a total count of both events.

Update
Just in case there is no tag::uncool you can use this search:

 tag::* OR NOT tag::* | stats count(eval(tag="cool")) AS cool sum(eval(if(isnull(tag), 1, 0))) AS uncool count AS total

Hope this helps ...

cheers, MuS

View solution in original post

MuS
SplunkTrust
SplunkTrust

Hi Phil219,

you can do something like this:

  tag::cool OR tag::uncool | stats count(eval(tag="cool")) AS cool count(eval(tag="uncool")) AS uncool count AS total

to get a count of cool things, uncool things and a total count of both events.

Update
Just in case there is no tag::uncool you can use this search:

 tag::* OR NOT tag::* | stats count(eval(tag="cool")) AS cool sum(eval(if(isnull(tag), 1, 0))) AS uncool count AS total

Hope this helps ...

cheers, MuS

Phil219
Path Finder

Works! Thank you!

0 Karma

Phil219
Path Finder

Nice! Thank you MuS! I have not "uncool" tag... I will give this a shot...

0 Karma

MuS
SplunkTrust
SplunkTrust

hmm, maybe I did misunderstood your question.... do you have a tag::uncool or only a tag for tag::cool?

MuS
SplunkTrust
SplunkTrust

updated the answer ...

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...