Splunk Search

How can I count both events that are tagged and those that aren't?

Phil219
Path Finder

I currently use the following to count the number of names that are tagged as cool:

... tag::cool | stats dc("Name")

This gives me a count of cool kids. I would like to compare the number of kids that are "cool" with those that are not cool. Any ideas how I can get those two numbers?

Tags (3)
0 Karma
1 Solution

MuS
Legend

Hi Phil219,

you can do something like this:

  tag::cool OR tag::uncool | stats count(eval(tag="cool")) AS cool count(eval(tag="uncool")) AS uncool count AS total

to get a count of cool things, uncool things and a total count of both events.

Update
Just in case there is no tag::uncool you can use this search:

 tag::* OR NOT tag::* | stats count(eval(tag="cool")) AS cool sum(eval(if(isnull(tag), 1, 0))) AS uncool count AS total

Hope this helps ...

cheers, MuS

View solution in original post

MuS
Legend

Hi Phil219,

you can do something like this:

  tag::cool OR tag::uncool | stats count(eval(tag="cool")) AS cool count(eval(tag="uncool")) AS uncool count AS total

to get a count of cool things, uncool things and a total count of both events.

Update
Just in case there is no tag::uncool you can use this search:

 tag::* OR NOT tag::* | stats count(eval(tag="cool")) AS cool sum(eval(if(isnull(tag), 1, 0))) AS uncool count AS total

Hope this helps ...

cheers, MuS

Phil219
Path Finder

Works! Thank you!

0 Karma

Phil219
Path Finder

Nice! Thank you MuS! I have not "uncool" tag... I will give this a shot...

0 Karma

MuS
Legend

hmm, maybe I did misunderstood your question.... do you have a tag::uncool or only a tag for tag::cool?

MuS
Legend

updated the answer ...

0 Karma
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...