11/21/2023 0 Comments Splunk stats count by multiple fields![]() ![]() What I want is that I need to make the rows unique and display the count of the Requester Id in a new field.įor example: if there are 2 logs with the same Requester_Id with value "abc", I would still display those two logs separately in a table because it would have other fields different such as the date and time but I would like to display the count of the Requester_Id as 2 in a new field in the same table. KIran331's answer is correct, just use the rename command after the stats command runs. hello splunkers, We are trying to get the chart over for multiple fields sample as below, we are not able to get it, kindly help us on how to query it. At one point the search manual says you CANT use a group by field as one of the stats fields, and gives an example of creating a second field with eval in order to make that work. searchHere stats count as total by custaction, account stats values (custaction) AS action, values (total) by account. Right now, if I run the following command, I get the results I'm looking for, but the way they are being displayed is not exactly how I would like it. This is what the table and the issue look like : I'm surprised that splunk let you do that last one. I would like to count events for two fields grouped by another field. Group-by in Splunk is done with the stats command. The first clause uses the count () function to count the Web access events that contain the method field value GET. The issue that this query has is that it is grouping the Requester Id field into 1 row and not displaying the count at all. Group by count Group by count, by time bucket Group by averages and percentiles, time buckets Group by count distinct, time buckets Group by sum Group by multiple fields For info on how to use rex to extract fields: Splunk regular Expressions: Rex Command Examples. Splunk: Group by certain entry in log file. ![]() | table Type_of_Call LOB DateTime_Stamp Policy_Number Requester_Id Last_Name State City Zip Splunk: Stats from multiple events and expecting one combined output. Hello All, I have query which is returning below result sets in table :Field1, Field2, Field3 are headers and BLANK,NO-BLANK are respective values Field1, Field2, Field3 BLANK, NO-BLANK,BLANK NO-BLANK,NO-BLANK,BLANK BLANK,NO-BLANK,BLANK NO-BLANK,NO-BLANK,BLANK BLANK,BLANK,BLANK i want to show result. This is my splunk query: | stats count, values(*) as * by Requester_Id LOG_LEVEL="INFO" MESSAGE="Type_of_Call = Sample Call LOB = F DateTime_Stamp = T21:10:53.900129 Policy_Number = 12-AB-1234-5 Requester_Id = A1231301 Last_Name = SAMPLE State = IL City = Chicago Zip 12345" APPLICATION_VERSION="appVersion_IS_UNDEFINED" I am trying to isolate 1 field and get a count of the value of that field and display the count in an existing table as a new field I am working with event logs which contain many fields.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |