Hello,
I have a simple issue that I can't resolve, and was hoping for support. I have the following data:
OBJECT ID,NEW STATE
1,STATE ONE
1,STATE TWO
1,STATE THREE
2,STATE ONE
2,STATE TWO
2,STATE ONE
My objective is to return the amount of times that "STATE ONE" appears. I have the following code:
index = "SAMPLE INDEX" | stats count(eval("NEW STATE" = "STATE ONE")) as "COUNT"
I was hoping that this would return "COUNT" = 3, but it keeps returning 0.
What am I missing?
Any help would be greatly appreciated. Thank you!
Andrew
Try like this
index = "SAMPLE INDEX" "NEW STATE"="STATE ONE" | stats count as "COUNT"
OR (field name with spaces should be enclosed in single quotes)
index = "SAMPLE INDEX" | stats count(eval('NEW STATE' = "STATE ONE")) as "COUNT"
I hope its not doing a string compare and then returning false of comparing the "NEW STATE" as a string rather than "NEW STATE" as a field with "STATE ONE". Try to extract the fieldname as single worded text like and see if it resolves:
yourQuery to return data
| rex "^(?<objectId>[^,]+),(?<newState>).*)$"
| stats count(eval(newState="STATE ONE")) as COUNT
Try like this
index = "SAMPLE INDEX" "NEW STATE"="STATE ONE" | stats count as "COUNT"
OR (field name with spaces should be enclosed in single quotes)
index = "SAMPLE INDEX" | stats count(eval('NEW STATE' = "STATE ONE")) as "COUNT"
Stupid double quotes! Thank you!