Splunk Search

Problem with the summation in chart command in SPLUNK

abhayneilam
Contributor

Hi,

I want to find out how what is the total number of "Exit" and "Entry" for the particular CARD_NUMBER for a particular TRANSIT_DATE, for that to do I gave the below query, but it is not returning my any answer,

Please let me know where I am doing wrong with the query or any other alternative is there :

chart count((eval(STR_DIRECTION="Entry"))+(eval(STR_DIRECTION="Exit"))) as "Total_Count" over "TRANSIT_DATE" by "CARD_NUMBER"

Thanks in Advance!!

Tags (2)
0 Karma

jonuwz
Influencer

This :

((eval(STR_DIRECTION="Entry"))+(eval(STR_DIRECTION="Exit"))

assuming that only 1 statement can be true, will never return anything.

It evaluates to NULL + 1 or 1 + NULL, which is always null

i.e.

* | head 1 | eval a=NULL | eval b=1 | eval c=a+b | table a b c

So you need an if statement to return sane values:

( (eval(if(STR_DIRECTION=="Entry",1,0))) + (eval(if(STR_DIRECTION=="Exit",1,0))) )

There's probably a far easier way to do this if you post some sample data though

Update

... | stats count(eval(STR_DIRECTION=="Exit")) as Exit count(eval(STR_DIRECTION=="Entry")) as Entry by TRANSIT_DATE CARD_NUMBER
    | eval Complete=if(Exit==Entry,"Complete","Incomplete")
0 Karma

jonuwz
Influencer

updated answer

0 Karma

abhayneilam
Contributor

I have given this code , but it gives me some different answer, I want to compare the number of exit with the number or entry for a particular Card_num for a particular day

|inputlookup "Data-Sample.csv" | table "TRANSIT_DATE","NAME","SURNAME","IDENTIFIER","CARD_NUMBER","STR_DIRECTION","STR_TRANSIT_STATUS","TERMINAL" | chart limit=29 count(eval(STR_DIRECTION="Entry" OR STR_DIRECTION="Exit")) as "Total_Count" over "TRANSIT_DATE" by "CARD_NUMBER" |eval a=strptime(TRANSIT_DATE,"%d/%m/%Y") | sort a | fields - a

0 Karma

abhayneilam
Contributor

I have a report which contains few columns as "Date", "Card_num","Status"

I have the "Date" in %d/%m/%Y format
"Card_num" is a numeric field ( Unique value )
"Status" Contains two values,either "Entry" or "Exit"

Now, I would like to know for a particular "Card_num" for a particular "Date" , total number of "Exit" is equal to the total number of "Entry" or not, if it is equal I should make an another column as "Result" and value should be "Complete Transaction" and for unequal number It "Result" should contain "Incomplete Transaction"

Please help !!

0 Karma

jonuwz
Influencer

This has nothing to do with the original question, also, without sample data this comment is gibberish to me.

0 Karma

abhayneilam
Contributor

How do I compare the number of entry and exit of each Card_Number against each date, if num of entry is not equal to num of entry for a particular day it means , transaction is incomplete

please help

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...