https://community.splunk.com/t5/Knowledge-Management/summary-indexing-with-sisat-distinct-count-without-the-list-of/m-p/29384#M266 <P>The sistats distinct count function MUST keep a list of unique ips, as the sistats command is designed to <EM>put</EM> information into a summary index. When computing the "final" distinct count from a summary index, splunk has to be able to dedup the counts from all the time periods.</P> <P>When you <EM>put</EM> data into a summary index, use <CODE>sistats</CODE>.</P> <P>When you <EM>get</EM> data from a summary index, use <CODE>stats</CODE>.</P> <PRE><CODE>index=summary search_name=the_search_that_put_the_data_in | stats dc(clientip) by host </CODE></PRE> <P>should do what you want.</P> Thu, 09 Aug 2012 04:21:54 GMT lguinn2 2012-08-09T04:21:54Z https://community.splunk.com/t5/Knowledge-Management/summary-indexing-with-sisat-distinct-count-without-the-list-of/m-p/29383#M265 <P>... |sistats dc(clientip) by host </P> <P>Returns : <BR /> host psrsvd_ct_clientip psrsvd_gc psrsvd_v psrsvd_vm_clientip</P> <P>Where psrsvd_vm_clientip is the list of the unique ip's. All i need it the count not the detail in the summary index. What is the best way just get the dc(clientip)? </P> Mon, 28 Sep 2020 12:13:17 GMT https://community.splunk.com/t5/Knowledge-Management/summary-indexing-with-sisat-distinct-count-without-the-list-of/m-p/29383#M265 pshumate 2020-09-28T12:13:17Z https://community.splunk.com/t5/Knowledge-Management/summary-indexing-with-sisat-distinct-count-without-the-list-of/m-p/29384#M266 <P>The sistats distinct count function MUST keep a list of unique ips, as the sistats command is designed to <EM>put</EM> information into a summary index. When computing the "final" distinct count from a summary index, splunk has to be able to dedup the counts from all the time periods.</P> <P>When you <EM>put</EM> data into a summary index, use <CODE>sistats</CODE>.</P> <P>When you <EM>get</EM> data from a summary index, use <CODE>stats</CODE>.</P> <PRE><CODE>index=summary search_name=the_search_that_put_the_data_in | stats dc(clientip) by host </CODE></PRE> <P>should do what you want.</P> Thu, 09 Aug 2012 04:21:54 GMT https://community.splunk.com/t5/Knowledge-Management/summary-indexing-with-sisat-distinct-count-without-the-list-of/m-p/29384#M266 lguinn2 2012-08-09T04:21:54Z https://community.splunk.com/t5/Knowledge-Management/summary-indexing-with-sisat-distinct-count-without-the-list-of/m-p/29385#M267 <P>same thing I came up with. Thanks for the help.</P> Thu, 09 Aug 2012 14:00:23 GMT https://community.splunk.com/t5/Knowledge-Management/summary-indexing-with-sisat-distinct-count-without-the-list-of/m-p/29385#M267 pshumate 2012-08-09T14:00:23Z https://community.splunk.com/t5/Knowledge-Management/summary-indexing-with-sisat-distinct-count-without-the-list-of/m-p/665677#M9778 <P>Thanks for the solution!</P><P>We can use&nbsp;| sistats values(myfield) as myfield to populate summary index.</P> Fri, 20 Oct 2023 13:36:49 GMT https://community.splunk.com/t5/Knowledge-Management/summary-indexing-with-sisat-distinct-count-without-the-list-of/m-p/665677#M9778 splunkreal 2023-10-20T13:36:49Z