https://community.splunk.com/t5/Splunk-Search/How-to-get-count-by-unique-value/m-p/472090#M132826 <P>I am getting error while running this query. And product-id could be decimal value too, ex: 123.4567.8900. Thanks</P> Tue, 14 Apr 2020 16:55:00 GMT vel4ever 2020-04-14T16:55:00Z https://community.splunk.com/t5/Splunk-Search/How-to-get-count-by-unique-value/m-p/472087#M132823 <P>Hi,</P> <P>I am new to Splunk. I have below log which is capturing product id,</P> <P>Header product-id, 12345678900<BR /> Header product-id, 12345678901<BR /> Header product-id, 12345678900</P> <P>I would like to group by unique product id and count,</P> <P>12345678900 2<BR /> 12345678901 1</P> <P>Here product-id is not a field in splunk. How can write a query for this? </P> Tue, 14 Apr 2020 01:36:49 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-count-by-unique-value/m-p/472087#M132823 vel4ever 2020-04-14T01:36:49Z https://community.splunk.com/t5/Splunk-Search/How-to-get-count-by-unique-value/m-p/472088#M132824 <P>If your log is literally lines like <CODE>Header product-id, 12345678900</CODE> then you can extract the last value (assuming all digits) and stats-by on that.</P> <P>Example:</P> <PRE><CODE>(your search) | rex "Header product-id, (&lt;productId&gt;\d+)" | stats count by productId </CODE></PRE> <P>If this doesn't work, please post the actual events you get back and I'm sure people here can help!</P> Tue, 14 Apr 2020 02:35:39 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-count-by-unique-value/m-p/472088#M132824 jpolvino 2020-04-14T02:35:39Z https://community.splunk.com/t5/Splunk-Search/How-to-get-count-by-unique-value/m-p/472089#M132825 <P>hi @vel4ever </P> <P>try this </P> <PRE><CODE>| makeresults | eval raw="Header product-id, 12345678900" |eval ID=mvindex(split(raw," "),-1) |stats count by ID </CODE></PRE> Tue, 14 Apr 2020 10:44:00 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-count-by-unique-value/m-p/472089#M132825 harishalipaka 2020-04-14T10:44:00Z https://community.splunk.com/t5/Splunk-Search/How-to-get-count-by-unique-value/m-p/472090#M132826 <P>I am getting error while running this query. And product-id could be decimal value too, ex: 123.4567.8900. Thanks</P> Tue, 14 Apr 2020 16:55:00 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-count-by-unique-value/m-p/472090#M132826 vel4ever 2020-04-14T16:55:00Z https://community.splunk.com/t5/Splunk-Search/How-to-get-count-by-unique-value/m-p/472091#M132827 <P>I am not getting any results for this query. Thanks.</P> Tue, 14 Apr 2020 16:55:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-count-by-unique-value/m-p/472091#M132827 vel4ever 2020-04-14T16:55:27Z https://community.splunk.com/t5/Splunk-Search/How-to-get-count-by-unique-value/m-p/472092#M132828 <P>Use rex command.</P> <PRE><CODE> | rex "product-id,\s(?&lt;product_id&gt;[\d\.]+)" | stats count by product_id </CODE></PRE> Tue, 14 Apr 2020 17:22:00 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-count-by-unique-value/m-p/472092#M132828 manjunathmeti 2020-04-14T17:22:00Z