topic Re: How to display all events when using stats count by instead of just the one "by" field? in Dashboards & Visualizations

How to display all events when using stats count by instead of just the one "by" field?

vwilson3 — Sat, 07 Jul 2018 01:47:54 GMT

Hello,

I'm a Splunk novice and appreciate your patience. I'm trying to figure out how to display all of the fields listed in my search, but there is only data in the table in the one field specified in the |stats count by field3. Here is my search:

index=myindex field1="TY" field2="G"
|stats count by field3 where count >5
|fields + _time host field1 field2 field3 field4 field5
|table _time host field1 field2 field3 field4 field5

I appreciate any help, tips, or tricks!

Re: How to display all events when using stats count by instead of just the one "by" field?

richgalloway — Sat, 07 Jul 2018 22:19:45 GMT

The stats command is a filtering command. That means the only fields available downstream are those mentioned in stats. In your example, only 'count' and 'field3' are available. The fields command cannot put back what stats takes out.
For an alternative, look at the streamstats command, which adds fields to events rather than remove fields.

Re: How to display all events when using stats count by instead of just the one "by" field?

woodcock — Sun, 08 Jul 2018 20:14:26 GMT

That is exactly why eventstats exists. It performs the analysis of stats and sticks the answers not on a new summary but sprinkled throughout the starting events. Just switch from stats to eventstats.

Re: How to display all events when using stats count by instead of just the one "by" field?

vwilson3 — Wed, 11 Jul 2018 00:55:21 GMT

Thank you so much for your help! I am learning every day, for sure!

Re: How to display all events when using stats count by instead of just the one "by" field?

vwilson3 — Mon, 16 Jul 2018 13:00:56 GMT

I just learned that I should upvote. Sorry about that. Not trying to be rude; just a newbie. 😉