How to count good work quotas vs. bad work quotas?

pvirnig · ‎12-04-2017

I am a Newb at Splunk, so please bear with me if this is straight forward or has been answered previously. I have successfully used your Splunk>Answers on a number of occasions, but I am struggling with how to phrase this search.

SITUATION: I work in an assembly facility. I am currently calculating the number of good parts per completed device using:

 | stats count(eval(PartStatus=1))  AS "GOOD PARTS"

A correctly assembled device will contain a set number of GOOD PARTS (let's use "N"). I would like to count the number of devices based on "N". By doing this I will have the following:

 "GOOD DEVICES" - the number of devices that have "N" number of GOOD PARTS
 "BAD DEVICES" - the number of devices that do NOT have "N" number of GOOD PARTS

QUESTION: How do I count the number of GOOD DEVICES and the number of BAD DEVICES, each of which are based on a value derived from a previous count?

woodcock · ‎12-04-2017

Like this:

...   | stats count AS TotalParts count(eval(PartStatus=1)) AS GoodParts BY host
| eval state=if((GoodParts>YourNumberHere), "Good", "Bad")

pvirnig · ‎12-05-2017

This is slightly different than the above response and also works. Thank you.

somesoni2 · ‎12-04-2017

Assuming your stats includes a by clause for device, try something like this.

..your base search..| stats count(eval(PartStatus=1))  AS "GOOD PARTS" by device 
| eval device_type=if('GOOD PARTS'=N,"GOOD DEVICE","GAD DEVICE")
| stats count by device_type

pvirnig · ‎12-05-2017

I was able to finally get back to this. Your response is spot on. Thanks for your help on this.

How to count good work quotas vs. bad work quotas?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!