How to count files in which multiple fields meet c...

fzhao2 · ‎02-21-2019

I have a few files. They all have the same columns and look like this:

timestamp           field1    field2
...
1544079360.84132    99
1544079363.52629              98
1544081067.48075              100
1544081377.48521    100
...

I want to count the files that both field1 and field2 reached 100 or above.

I tried:

... | search field1>=100 AND field2>=100

but it didn't work. I believe it's because there were null values.

So I tried filldown:

... | filldown field1, field2

but it's still not working.

I also tried eventstats and no luck. And I don't prefer eventstats as it gets very slow when data is increasing.

Any thoughts? Thank you!

vinod94 · ‎02-22-2019

Hi @fzhao2,

try this...

....|where field1>=100 OR field2>=100

Worked for me

| makeresults 
| eval field1="99, , ,100" 
| makemv delim="," field1 
| mvexpand field1 
| appendcols 
    [| makeresults 
    | eval field2=", ,98,100, ," 
    | makemv delim="," field2 
    | mvexpand field2] 
|where field1>=100 OR field2>=100

renjith_nair · ‎02-21-2019

@fzhao2 ,

You might want an OR instead of AND since you dont have values for both fields at the same time.

---
What goes around comes around. If it helps, hit it with Karma 🙂

How to count files in which multiple fields meet certain conditions?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!