Splunk Search

How to get eval values from two fields

rashi83
Path Finder

My current search is this:

index="x | timechart count(eval(statusCategory="B")) 

I want to add one more statusCategory="C" and tried making like -

index="x | timechart count(eval(statusCategory="B" OR statusCategory="C" ))  but it do not work
0 Karma

Vijeta
Influencer

@rashi83 to get total of fail, pass , nearpass use below

index=x | stats count(eval(statusCategory="Pass")) as "Pass", count(eval(statusCategory="NearPass")) as NearPass ,count(eval(statusCategory=="Fail")) as "Fail" by region | eval Pass=Pass + NearPass

0 Karma

rashi83
Path Finder

Doesn't work VIjeta

0 Karma

Vijeta
Influencer

What results do you get?

0 Karma

rbechtold
Communicator

Hi Rashi83,

Does this work?

| index=x 
| search statusCategory="B" OR statusCategory="C" 
| timechart count by statusCategory

Alternatively, if you need to define the "statusCategory" before the timechart, you can use:

| index=x
| eval statusCategory=if(statusCategory="B_string", "B", if(statusCategory="C_string", "C", null))
| where isnotnull(statusCategory)
| timechart count by statusCategory
0 Karma

rashi83
Path Finder

Thanks, but I need to show the sum up value of statusCategory =A and statusCategory=B while doing visualization as single value.

This yields correct value but not the sumup value.

0 Karma

rbechtold
Communicator

Ahh, I see!

If I am understanding correctly, would using

...|timechart count(statusCategory)

instead of

...|timechart count by statusCategory

in one of my previous examples do the trick?

0 Karma

rashi83
Path Finder

Thank you so much...I was working more on this query and was trying to get percentage of "Pass" . Pass % will include - statusCategory="Pass" and statusCategory="NearPass"

index=x | search statusCategory="Pass" OR statusCategory="NearPass" | stats count(statusCategory) as "Pass" | stats count(eval(statusCategory=="Fail")) as "Fail" by region
| addtotals
| foreach Compliant, NonCompliant [| eval "<> %"=round((<>/Total)100,2)] | sort - "Pass %" | table region " %" | rename region as Region

But it fails to recognize count of statusCategory=Fail
How can this be modified?

0 Karma

rbechtold
Communicator

Hello again rashi! No problem at all, it is my intention to help out however I can.

The reason it fails to recognize count of statusCategory="Fail" is because the search pipe and the stats pipe removes all instances of fail statuses from the data. Let's try to fix that!

I'm operating under the assumption that we're working with these two fields for this search:
1. statusCategory
2. region

Is this correct? The reason I'm asking is because I see a "Compliant" field and a "NonCompliant" field in the foreach command, and I'm not sure how they come into play.

That said, if we are just looking for a "Pass %" by region, the query below should work:

|index = x
| eval PassCheck = if(statusCategory="Pass", 1, if(statusCategory="NearPass", 1, 0))
| eval FailCheck = if(PassCheck=0, 1, 0)
| stats sum(FailCheck) AS Fail sum(PassCheck) AS Pass  by region
| eval total_by_area = Fail + Pass
| eval area_percent = round((Pass / total_by_area),2) *100
| table region area_percent
| sort - area_percent
| rename area_percent AS "Pass %", region AS Region

Let me know if anything goes wrong, or if anything doesn't make sense!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...