Splunk Enterprise

How to filter streamstats results for two equal variables?

like2splunk
Explorer

My search code is as follows:

index="logs" host=tcr2
"Transitioned to Error State" OR "BeamResult Received" OR "scanning controller went to error" OR "session is closed" OR "BeamContext:" 
| dedup description consecutive=true
| reverse
| streamstats count(eval(searchmatch("BeamContext:"))) AS SessionID
| stats count(eval(searchmatch("Transitioned to Error State"))) AS error_count count(eval(searchmatch("scanning controller went to error"))) AS qualify_count count(eval(searchmatch("patientId"))) AS patient_count list(_raw) AS _raw BY SessionID
| search error_count>0 qualify_count>0 patient_count>0

Notice the last line. What I want is to be able to search for error_count=qualify_count as well. But when I do this, I get zero results even though I know for sure that there are such scenarios. I only want the results of streamstats for a given "SessionID" in which the number for "error_count" is equal to the number for "qualify_count". Any ideas?

0 Karma
1 Solution

Drahgkar
Engager

If you're just trying to find where error_count is equal to qualify_count and patient_count is greater than 0, this snippet that incorporates somesoni2's comment above should work:

| where error_count=qualify_count AND patient_count>0

View solution in original post

0 Karma

woodcock
Esteemed Legend

As others have indicated, the combined solution should be replacing your last line with something like this:

 | where (error_count>0 AND qualify_count>0 AND patient_count>0) OR (error_count=qualify_count)
0 Karma

Drahgkar
Engager

If you're just trying to find where error_count is equal to qualify_count and patient_count is greater than 0, this snippet that incorporates somesoni2's comment above should work:

| where error_count=qualify_count AND patient_count>0
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Since you're dealing in numbers, use the where command instead of search.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...