conditional count(eval)

learningquery · ‎10-17-2023

Hi community,

| eval ycw = strftime(_time, "%Y_%U")
| stats count(eval("FieldA"="True")) as FieldA_True,
count(eval('FieldB'="True")) as FieldB_True,
count(eval('FieldC'="True")) as FieldC_True
by ycw
| table ycw, FieldA_True, FieldB_True, FieldC_True

I get 0 result even though there is data. Could anyone please suggest a correct query?

BR

learningquery · ‎10-20-2023

Thanks for providing the hints. I tried both the changes eval and random command it did not work unfortunately. While I am sure the data exists.

yuanliu · ‎10-21-2023

unfortunately. While I am sure the data exists.

By "data exists" do you mean some values of field "Infra Finding" are string "Yes", etc.? Can you show sample output of

earliest=-10w latest=now LOB=HEC search_name!=null
| eval ycw = strftime(_time, "%Y_%U")
| fields ycw "Infra Finding" "OS Finding" "App Finding"
| stats values(*) as * by ycw

learningquery · ‎10-21-2023

Thanks for the hint. Attached is the result I get. But want the total count of all TRUE cases listed per calendar week in numbers and also in % (I don't want the FALSE as result ). The attached .xls shows what I am looking for with example numbers

learningquery · ‎10-26-2023

I figured out the minor error was - "True" needs to be "true", as the value returns a boolean.

yuanliu · ‎10-26-2023

Isn't this exactly what I posted in https://community.splunk.com/t5/Splunk-Search/conditional-count-eval/m-p/665764/highlight/true#M2284... Splunk doesn't really store boolean values.

learningquery · ‎10-21-2023

Sorry, now I put the correct result (Pl ignore the previous result)

learningquery · ‎10-26-2023

absolutely, I was too beginner to grasp it!

yuanliu · ‎10-21-2023

Pro tip: Post data and output in text. It is much easier for volunteers.

So, the fields do NOT have values "True" as your mock code has implied. They have values "true". If you haven't grasped this, Splunk stores most data in string tokenized strings and numeric values. Have you tried this?

| eval ycw = strftime(_time, "%Y_%U")
| stats count(eval('FieldA'="true")) as FieldA_True,
              count(eval('FieldB'="true")) as FieldB_True,
              count(eval('FieldC'="true")) as FieldC_True
by ycw
| table ycw, FieldA_True, FieldB_True, FieldC_True

richgalloway · ‎10-17-2023

Confirm the ycw field has values. If ycw is null then the stats command will return no results - because there are no values by which to group the stats.

Also, the evals should not have the field names in double quotes because that treats them a literal strings rather than as field names. Use single quotes or no quotes around field names.

---
If this reply helps you, Karma would be appreciated.

fredclown · ‎10-18-2023

Based on the search given ycw will always have a value as it is derived from _time and every event has an _time.

The second part is correct. I too noticed that and corrected the double quotes in the eval in my answer.

fredclown · ‎10-17-2023

I've added some fake data before the SPL you provided and when I run it I get results like the below screenshot. It's hard to say what is going on in your environment and with your data but I would tend to think either the base search returned nothing or your fields (FieldA, FieldB, FieldC) don't exist in the data returned from the base search.

| makeresults count=300
| eval _time=_time-(86400*(random() % 61))
| eval FieldA=if(random() % 2==1,"True", "False")
| eval FieldB=if(random() % 2==1,"True", "False")
| eval FieldC=if(random() % 2==1,"True", "False")
```^^^^ Fake data added by me ^^^^```
| eval ycw = strftime(_time, "%Y_%U")
| stats count(eval('FieldA'="True")) as FieldA_True, count(eval('FieldB'="True")) as FieldB_True, count(eval('FieldC'="True")) as FieldC_True by ycw
| table ycw, FieldA_True, FieldB_True, FieldC_True

conditional count(eval)

eval

stats

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!