Comments and answers for "Sum of conditional if with wildcard"
https://answers.splunk.com/answers/314046/sum-of-conditional-if-with-wildcard.html
The latest comments and answers for the question "Sum of conditional if with wildcard"Comment by woodcock on woodcock's comment
https://answers.splunk.com/comments/318412/view.html
If you are only getting a count of one it is because that is what is really there. If a user has some of each, this search *WILL* count both and each field will be non-zero. My solution is a complete solution for your need as you described it.Fri, 16 Oct 2015 18:47:39 GMTwoodcockAnswer by maciep
https://answers.splunk.com/answering/314205/view.html
something like this?
... | stats count(eval(type1_if=1)) as type1_if count(eval(type2_if=1)) as type2_if count(eval(type1_if=1 OR type2_if=1)) as type_if by _timestamp userFri, 02 Oct 2015 16:31:45 GMTmaciepComment by jclemons7 on jclemons7's answer
https://answers.splunk.com/comments/314204/view.html
So, this is sort of working I think... but it seems like my group is only returning one column for each user.. so I will get a count of type2_if_total for a given user I won't get a count of type1_if_total or visa versa. I need to know the total count of both type1_if_total and type2_if_total for each user.Fri, 02 Oct 2015 16:25:45 GMTjclemons7Comment by somesoni2
https://answers.splunk.com/comments/314092/view.html
Any sample logs??Thu, 01 Oct 2015 22:48:24 GMTsomesoni2Answer by woodcock
https://answers.splunk.com/answering/314050/view.html
I think you are not asking for what you really desire but assuming I am incorrect, you can what you asked like this:
event="standard"
| regex _raw!=(?i)"(fileofinterest.txt|objectofinterest.txt|otherthing.bat)"
| stats count(eval(match(InterestingField,"%fileofinterest.txt%") AS type1_if_total
count(eval(match(InterestingField, "%objectofinterest.txt%") AS type2_if_total BY _timestamp user
| eval type_if_total = type1_if_total + type2_if_totalThu, 01 Oct 2015 20:24:17 GMTwoodcock