- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Is it possible to use if else condition based on t...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it possible to use if else condition based on the search to create stats?
index=concourse
sourcetype="deployments: csv"
if project = * and team=$team$ | stats count by project, team
elif team=* and project=$project$ | stats count by team, project
Can we do something like this in Splunk search?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not sure if it will get you what you need, but you can wrap an eval inside of a stats function.
count(eval(team=$team$ AND project=*))
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Where is the data that is going to populate the two tokens you have in your search coming from? Is that streaming from the search that returns with your index=concourse sourcetype="deployments: csv" part of the query? Also what is your ultimate goal, Are you trying to say, if project is not null and team equals token team stats count by project, team, else if team is not null and project equals token project stats count by team project? Are you doing this because the project/team field is sometimes null? Can you mock up the output you are looking for?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to create a dashboard with deployments during the month based on projects as dropdown fields using Column graph
this is my query for the dashboard.
index="concourse" sourcetype="deployments: csv" month="$mt$" project="$project$" | stats count by project, month
This basically gives me the count for the deployments by project
with the above query if i choose
Project = ALL and Month=February
This is basically showing the data correctly in the graph wit proper name [like a, b, c projects deployed during this month]
When I choose Project=BUY and Month=ALL
Then it is populating the results but showing as [BUY,BUY,BUY,BUY] on x-axis and count on y-axis and not displaying the month
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Gotcha. You may want to consider using chart instead of stats for this use case:
index="concourse" sourcetype="deployments: csv" month="$mt$" project="$project$"
| chart count over month by project
This will make it so month is always the x-axis and your columns will be different projects.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
