topic Getting count of field instead of a list of them in Splunk Search https://community.splunk.com/t5/Splunk-Search/Getting-count-of-field-instead-of-a-list-of-them/m-p/361324#M160642 <P>Hello,</P> <P>I am getting a stack of CVE field values, I just wanted to display the number of them (count). Here is my code:</P> <PRE><CODE>index=nessus cve=* | eval CVSS_SCORE = cvss_base_score + cvss_temporal_score | eval description=substr(description,1,100) | eval solution=substr(solution,1,100) | rename id as ID, cve as CVE, plugin_name as Plugin_Name, description as Description, solution as Solution | table ID, Plugin_Name, Description, CVE, Solution, CVSS_SCORE | sort - CVSS_SCORE </CODE></PRE> <P>This is what it looks like <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/3093iB66204DD80B7BD9F/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Thu, 22 Jun 2017 14:32:55 GMT rkaakaty 2017-06-22T14:32:55Z Getting count of field instead of a list of them https://community.splunk.com/t5/Splunk-Search/Getting-count-of-field-instead-of-a-list-of-them/m-p/361324#M160642 <P>Hello,</P> <P>I am getting a stack of CVE field values, I just wanted to display the number of them (count). Here is my code:</P> <PRE><CODE>index=nessus cve=* | eval CVSS_SCORE = cvss_base_score + cvss_temporal_score | eval description=substr(description,1,100) | eval solution=substr(solution,1,100) | rename id as ID, cve as CVE, plugin_name as Plugin_Name, description as Description, solution as Solution | table ID, Plugin_Name, Description, CVE, Solution, CVSS_SCORE | sort - CVSS_SCORE </CODE></PRE> <P>This is what it looks like <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/3093iB66204DD80B7BD9F/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Thu, 22 Jun 2017 14:32:55 GMT https://community.splunk.com/t5/Splunk-Search/Getting-count-of-field-instead-of-a-list-of-them/m-p/361324#M160642 rkaakaty 2017-06-22T14:32:55Z Re: Getting count of field instead of a list of them https://community.splunk.com/t5/Splunk-Search/Getting-count-of-field-instead-of-a-list-of-them/m-p/361325#M160643 <PRE><CODE>| stats count as CVECount </CODE></PRE> <P>or</P> <PRE><CODE>| stats dc(CVE) as CVECount </CODE></PRE> <P>You don't really need much of that if all you want is the count of CVEs...</P> <PRE><CODE> index=nessus cve=* | fields cve | dedup cve | stats dc(cve) as CVECount </CODE></PRE> <P>And if cve is an indexed field, then <CODE>tstats</CODE> would probably be more efficient</P> <PRE><CODE>tstats where index=nessus AND cve=* | stats dc(cve) as CVECount </CODE></PRE> Thu, 22 Jun 2017 14:56:20 GMT https://community.splunk.com/t5/Splunk-Search/Getting-count-of-field-instead-of-a-list-of-them/m-p/361325#M160643 DalJeanis 2017-06-22T14:56:20Z