Splunk Search

How to count good work quotas vs. bad work quotas?

pvirnig
New Member

I am a Newb at Splunk, so please bear with me if this is straight forward or has been answered previously. I have successfully used your Splunk>Answers on a number of occasions, but I am struggling with how to phrase this search.

SITUATION: I work in an assembly facility. I am currently calculating the number of good parts per completed device using:

 | stats count(eval(PartStatus=1))  AS "GOOD PARTS"

A correctly assembled device will contain a set number of GOOD PARTS (let's use "N"). I would like to count the number of devices based on "N". By doing this I will have the following:

 "GOOD DEVICES" - the number of devices that have "N" number of GOOD PARTS
 "BAD DEVICES" - the number of devices that do NOT have "N" number of GOOD PARTS

QUESTION: How do I count the number of GOOD DEVICES and the number of BAD DEVICES, each of which are based on a value derived from a previous count?

Tags (1)
0 Karma

woodcock
Esteemed Legend

Like this:

...   | stats count AS TotalParts count(eval(PartStatus=1)) AS GoodParts BY host
| eval state=if((GoodParts>YourNumberHere), "Good", "Bad")
0 Karma

pvirnig
New Member

This is slightly different than the above response and also works. Thank you.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Assuming your stats includes a by clause for device, try something like this.

..your base search..| stats count(eval(PartStatus=1))  AS "GOOD PARTS" by device 
| eval device_type=if('GOOD PARTS'=N,"GOOD DEVICE","GAD DEVICE")
| stats count by device_type
0 Karma

pvirnig
New Member

I was able to finally get back to this. Your response is spot on. Thanks for your help on this.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...