Re: How to count good work quotas vs. bad work quo...

pvirnig · ‎12-04-2017

I am a Newb at Splunk, so please bear with me if this is straight forward or has been answered previously. I have successfully used your Splunk>Answers on a number of occasions, but I am struggling with how to phrase this search.

SITUATION: I work in an assembly facility. I am currently calculating the number of good parts per completed device using:

 | stats count(eval(PartStatus=1))  AS "GOOD PARTS"

A correctly assembled device will contain a set number of GOOD PARTS (let's use "N"). I would like to count the number of devices based on "N". By doing this I will have the following:

 "GOOD DEVICES" - the number of devices that have "N" number of GOOD PARTS
 "BAD DEVICES" - the number of devices that do NOT have "N" number of GOOD PARTS

QUESTION: How do I count the number of GOOD DEVICES and the number of BAD DEVICES, each of which are based on a value derived from a previous count?

woodcock · ‎12-04-2017

Like this:

...   | stats count AS TotalParts count(eval(PartStatus=1)) AS GoodParts BY host
| eval state=if((GoodParts>YourNumberHere), "Good", "Bad")

pvirnig · ‎12-05-2017

This is slightly different than the above response and also works. Thank you.

somesoni2 · ‎12-04-2017

Assuming your stats includes a by clause for device, try something like this.

..your base search..| stats count(eval(PartStatus=1))  AS "GOOD PARTS" by device 
| eval device_type=if('GOOD PARTS'=N,"GOOD DEVICE","GAD DEVICE")
| stats count by device_type

pvirnig · ‎12-05-2017

I was able to finally get back to this. Your response is spot on. Thanks for your help on this.

How to count good work quotas vs. bad work quotas?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio