Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Compare one field against itself (Chart)

JoshuaJohn
Contributor
‎05-19-2017 10:06 AM

I have a chart that gives me serial numbers, some of the spots for serial numbers are empty. I want to compare how many are empty vs the total number of serials I have (That are not empty).

So basically a bar graph with 1 bar being total number of serials
The other bar being number of empty serials

|inputlookup Serial_Report.csv |stats count by serial_number|stats sum(serial_number) AS totalSerial | fillnull value="XXX" serial_number | search serial_number="XXX" | stats count by serial_number|stats sum(serial_number) AS totalEmptySerial |fields totalEmptySerial, totalSerial

Any Ideas?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-19-2017 11:40 AM

Give this a try

|inputlookup Serial_Report.csv |stats count by serial_number | eval is_empty=if(serial_number="" OR len(trim(serial_number))=0,1,0)
| stats sum(is_empty) as totalEmptySerial count as totalSerial

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-19-2017 11:40 AM

Give this a try

|inputlookup Serial_Report.csv |stats count by serial_number | eval is_empty=if(serial_number="" OR len(trim(serial_number))=0,1,0)
| stats sum(is_empty) as totalEmptySerial count as totalSerial
0 Karma
Reply
Solved! Jump to solution

JoshuaJohn
Contributor
‎05-19-2017 11:47 AM

https://pasteboard.co/8fKoBncto.png
Not exactly, it doesn't appear to recognize the empty fields

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎05-19-2017 11:50 AM

How about this

|inputlookup Serial_Report.csv | eval serial_number=if(isnull(serial_number) OR serial_number="" OR len(trim(serial_number))=0,"XXX",serial_number) |stats count by serial_number | eval is_empty=if(serial_number="XXX",1,0)
 | stats sum(is_empty) as totalEmptySerial count as totalSerial
0 Karma
Reply
Solved! Jump to solution

JoshuaJohn
Contributor
‎05-19-2017 11:52 AM

Now I am getting 1 count result for empty, should be around 300.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎05-19-2017 12:54 PM

Pheww. Try this

 |inputlookup Serial_Report.csv | eval serial_number=if(isnull(serial_number) OR serial_number="" OR len(trim(serial_number))=0,"XXX",serial_number) |stats count by serial_number | eval is_empty=if(serial_number="XXX",count,0)
  | stats sum(is_empty) as totalEmptySerial sum(count) as totalSerial
0 Karma
Reply
Solved! Jump to solution

JoshuaJohn
Contributor
‎05-19-2017 01:17 PM

Ah so close, I still need two bars though. I am not sure if it is possible

Basically one would say 300, the other would be 20,000

This is what your search has created so far
https://pasteboard.co/8hgrpV061.png

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎05-19-2017 01:21 PM

Let this be the final attempt. Try this

|inputlookup Serial_Report.csv | eval serial_number=if(isnull(serial_number) OR serial_number="" OR len(trim(serial_number))=0,"XXX",serial_number) |stats count by serial_number | eval Metrics=if(serial_number="XXX",split("totalEmptySerial,totalSerial",","),"totalSerial")
   | stats sum(count) as count by Metrics
0 Karma
Reply
Solved! Jump to solution

JoshuaJohn
Contributor
‎05-22-2017 06:35 AM

Thank you!! Perfect.

0 Karma
Reply
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...