I am a Newb at Splunk, so please bear with me if this is straight forward or has been answered previously. I have successfully used your Splunk>Answers on a number of occasions, but I am struggling with how to phrase this search.
SITUATION: I work in an assembly facility. I am currently calculating the number of good parts per completed device using:
| stats count(eval(PartStatus=1)) AS "GOOD PARTS"
A correctly assembled device will contain a set number of GOOD PARTS (let's use "N"). I would like to count the number of devices based on "N". By doing this I will have the following:
"GOOD DEVICES" - the number of devices that have "N" number of GOOD PARTS
"BAD DEVICES" - the number of devices that do NOT have "N" number of GOOD PARTS
QUESTION: How do I count the number of GOOD DEVICES and the number of BAD DEVICES, each of which are based on a value derived from a previous count?
Like this:
... | stats count AS TotalParts count(eval(PartStatus=1)) AS GoodParts BY host
| eval state=if((GoodParts>YourNumberHere), "Good", "Bad")
This is slightly different than the above response and also works. Thank you.
Assuming your stats includes a by clause for device, try something like this.
..your base search..| stats count(eval(PartStatus=1)) AS "GOOD PARTS" by device
| eval device_type=if('GOOD PARTS'=N,"GOOD DEVICE","GAD DEVICE")
| stats count by device_type
I was able to finally get back to this. Your response is spot on. Thanks for your help on this.