topic Re: I need help me using dedup and dc count? in Splunk Search

I need help me using dedup and dc count?

sunnyft — Fri, 27 Mar 2020 19:16:06 GMT

I have the following search based on this i just want to see unique values for the search

Re: I need help me using dedup and dc count?

adonio — Fri, 27 Mar 2020 19:39:16 GMT

your stats dc(id) as ID takes away all other fields
if i understand your needs, try this:
index = one eventtype=one_tu open=false | stats values(id) as all_ids
if you want to see it with other fields context, add a by clause for your stats command

Re: I need help me using dedup and dc count?

sunnyft — Fri, 27 Mar 2020 20:14:30 GMT

Tried using this as well but no results

Re: I need help me using dedup and dc count?

sunnyft — Fri, 27 Mar 2020 20:16:22 GMT

under statistics i get 0 count however, if i don't use stats value I see the results but i want to get unique count so still need help

Re: I need help me using dedup and dc count?

adonio — Fri, 27 Mar 2020 20:55:16 GMT

can you share a sample event/s?

Re: I need help me using dedup and dc count?

sunnyft — Fri, 27 Mar 2020 21:04:10 GMT

may be i dont even need to use stat dc, I am getting answers when i use this | stats values(id) as -__Name however the table is empty i was trying to do to get rid off duplicate Name even if it is by different user, I am not even sure if i need to use Stats dc but I dont want to see duplicate value in the table

if i dont use | stats values(id) as -__Name i'm getting results but duplicate as well

Re: I need help me using dedup and dc count?

sunnyft — Fri, 27 Mar 2020 21:11:41 GMT

I wan to add the info in the table without duplicate

Re: I need help me using dedup and dc count?

to4kawa — Sat, 28 Mar 2020 01:20:14 GMT

index=one eventtype=one_tu open="false"
| fields Date ComputerName  agentName  class Content id
| stats values(*) as * by id

reference:

by-clause
- Syntax: BY
- Description: The name of one or more fields to group by. You cannot use a wildcard character to specify multiple fields with similar names. You must specify each field separately. The BY clause returns one row for each distinct value in the BY clause fields. If no BY clause is specified, the stats command returns only one row, which is the aggregation over the entire incoming result set.

If you want to display fields by each id , try my query.

Re: I need help me using dedup and dc count?

DavidHourani — Sat, 28 Mar 2020 07:41:31 GMT

Hi @sunnyft,

I think you're looking for something like this :

index=one eventtype=one_tu  open=false
| sort -time, ComputerName
| dedup id
|stats dc(id) as ID by Date, ComputerName, agentName, class,Content

Let me know if that helps !

Cheers,
David

Re: I need help me using dedup and dc count?

sunnyft — Sat, 28 Mar 2020 16:21:27 GMT

No it didn't work I am not able to see the any Statistics

Re: I need help me using dedup and dc count?

woodcock — Sat, 28 Mar 2020 19:42:07 GMT

Never use sort without a number. There is no need to use both; try this:

index=one eventtype=one_tu
| sort 0 -time, ComputerName
| dedup id
| search open="false"
| table Date, ComputerName, agentName, class,Content,id

Re: I need help me using dedup and dc count?

DavidHourani — Sun, 29 Mar 2020 03:23:37 GMT

Try using this first :

 index=one eventtype=one_tu  open=false
 | sort -time, ComputerName
 | dedup id

Does it give you anything ?
If so, could you please check if you have the following fields : Date, ComputerName, agentName, class,Content ?

Could be that you don't have a field called Date ?

 index=one eventtype=one_tu  open=false
 | dedup id
 |stats dc(id) as ID, values(agentName) as agentName, values(class) as class, values(Content) as Content by _time, ComputerName