
The eval eexpression uses the match() function to compare the fromdomain to a regular expression that looks for the different suffixes in the domain. This syntax is easy to read, but it does not allow you to use a variable in the middle of a word.Įxample: ontend.$server.requests. The stats count() function is used to count the results of the eval expression. Panel titles and metric queries can refer to variables using two different syntaxes:
#Splunk eval to count instances full
| stats max(*_Apps) AS * BY Adminīut you wanted to combine the Backup1 and Backup2 counts, so we need to add them together into a single Backup field and remove the B1 and B2 fields: | eval Backup=Backup1+Backup2įinally, we add in a fillnull so that the table is nicely populated and not full of blank spots.Grafana Cloud Enterprise Open source Variable syntax We could just as easily have chosen the min value, since there will only be one value - but stats requires some kind of function, and I chose this one. Next, we need to make this table more readable by pushing it together so that each Admin has a single row, containing the max value from each category (P, B1, B2). Given that each row is guaranteed to only contain one Admin's name (regardless of whether they were Primary, Backup1, or Backup2), we use coalesce to grab whichever value is not null: | eval Admin=coalesce(Primary, Backup1, Backup2) Now we need a list of all unique Admin names. That leads us into the next line of code, where we remove all the lines with values for Application: | where isnull(Application) The table is all a mess, but the data is there in the rows that don't contain a value for Application. The three appendpipe commands are generating the stats per category. The best way to peek under the hood would be to start by running this chunk: | inputlookup AdminAppSupport.csv Use the original stats function against the results, as follows: index'summaryimplsplunk' searchname'testing sistats' stats count max(reqtime). It's pretty easy to get a count of apps each one is a primary for: | inputlookup AdminAppSupport.csv| stats count as "Primary Apps" by Primaryīut all my attempts to do a count of admins that are in Backup1 or Backup2 fail.Īny pointers would be greatly appreciated. But when we c (freeleases) it was counting every instance of distinctCount as freeleases.
#Splunk eval to count instances plus
What I would like to see is a list of each admin and a count of apps each one is a primary for plus a count of apps they are a backup for, something like: Admin Primary Backup Here is an example of my CSV file: Application,Primary,Backup1,Backup2

I'm able to create a simple bar chart showing the number of apps assigned to each primary admin, but I'm not having any luck in getting the number of admins that are a backup to each project. It is very useful to keep track of who is doing what, and who to assign a new app to when a new one comes in. I created a CSV lookup file that contains the name of the application, the primary admin responsible for it and one or more backup admins in case the primary is unavailable.

Because eval works on a row by row basis, attempting to. eval lets you assign a value to a new field on each result (row / record) based on values of other fields in each result and functions applied to the same. I have a team of Unix admins, each of which manages multiple applications. The issue at hand I think is an understanding of the differences between eval and chart.
