Solved: How to count the number of times a certain value a...

acaruso · ‎04-26-2016

I'm new to Splunk - be kind...

I can produce a table where I can get:

Field1   Field2   Field3   Field4....  Computer
true     false    true     false       192.168.1.1
false    true     true     false       192.168.1.2
etc.

What I'm trying to do is get just the count of 'true' per field, e.g.:
Field1: 1
Field2: 1
Field3: 2
Field4: 0

I've tried:

query | stats count(eval(match(Field1,true))) as F1, count(eval(match(Field2,"true"))) as F2, etc.

All Fields return Zero (0)

query | stats count(eval(match(Field1,true))) as F1, count(eval(match(Field2,"true"))) as F2, etc. by Computer.

All Fields return Zero (0)

query |stats count(eval(Field1=true)) as F1, count(eval(Field2=true) as F2, etc.

Still, nada - zero(0)s.

query |stats count(if(Field1=true)) as F1....

What am I missing? I've spent hours trying to figure this out.

Cheers, -T

somesoni2 · ‎04-27-2016

Give this a try

your base search | replace "true" with 1 "false" with 0 in Field1 Field2 Field3 Field4 | stats sum(Field1) as F1 sum(Field2) as F2 sum(Field3) as F3 sum(Field4) as F4

View solution in original post

lguinn2 · ‎04-27-2016

Try this

yoursearchhere
| replace "false" with "0" in Field*
| replace "true" with "1" in Field*
| stats sum(Field*) as Field*

You might want to add a transpose command at the end

somesoni2 · ‎04-27-2016

Give this a try

your base search | replace "true" with 1 "false" with 0 in Field1 Field2 Field3 Field4 | stats sum(Field1) as F1 sum(Field2) as F2 sum(Field3) as F3 sum(Field4) as F4

How to count the number of times a certain value appears per field?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life