https://community.splunk.com/t5/Splunk-Search/How-to-get-field-count-rather-than-stats-count/m-p/450622#M171353 <P>Yeah what you said "index="smt_fortigate" host="10.8.12.1" srcintf=mysummitwifi | stats dc(devtype) <BR /> but this only gives the unique values &amp; count of devtype field" is exactly right. So I was asking the question sort of wrong. </P> <P>ultimately my query ended up looking like this to give me my desired output:<BR /> index="smt_fortigate" host="10.8.12.1" srcintf=mysummitwifi | stats dc(src_mac) by devtype</P> <P>which give me a count of src_mac and groups them by devtype</P> Wed, 30 Sep 2020 00:29:17 GMT summitsplunk 2020-09-30T00:29:17Z https://community.splunk.com/t5/Splunk-Search/How-to-get-field-count-rather-than-stats-count/m-p/450618#M171349 <P>Here's my query:</P> <P>index="smt_fortigate" host="10.8.12.1" srcintf=mysummitwifi | stats count by devtype</P> <P>What I want to do is get something like this :</P> <P>devtype</P> <P>iphone 100<BR /> windows 105<BR /> Android 200</P> <P>I don't want stats on all of the events. I just want the totals of of all the possibilities for the devtype Field. How would I write this?</P> Thu, 09 May 2019 20:36:36 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-field-count-rather-than-stats-count/m-p/450618#M171349 summitsplunk 2019-05-09T20:36:36Z https://community.splunk.com/t5/Splunk-Search/How-to-get-field-count-rather-than-stats-count/m-p/450619#M171350 <P>@summitsplunk Can you be more clear, looking at the desired output you have shared your query looks correct , do you have some sample data with output example?</P> Thu, 09 May 2019 21:23:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-field-count-rather-than-stats-count/m-p/450619#M171350 Vijeta 2019-05-09T21:23:54Z https://community.splunk.com/t5/Splunk-Search/How-to-get-field-count-rather-than-stats-count/m-p/450620#M171351 <P>Figured it out. So I just didn't know how to ask the question but with some googling I found the write term which is "Distinct Count"... Basically I wanted to get a distinct count of each field. Like seen in this article:</P> <P><A href="https://answers.splunk.com/answers/46241/how-can-i-retrieve-count-or-distinct-count-of-some-field-values-using-stats-function.html">https://answers.splunk.com/answers/46241/how-can-i-retrieve-count-or-distinct-count-of-some-field-values-using-stats-function.html</A></P> Thu, 09 May 2019 21:28:03 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-field-count-rather-than-stats-count/m-p/450620#M171351 summitsplunk 2019-05-09T21:28:03Z https://community.splunk.com/t5/Splunk-Search/How-to-get-field-count-rather-than-stats-count/m-p/450621#M171352 <P>Hi</P> <P>Are you looking for this</P> <P>index="smt_fortigate" host="10.8.12.1" srcintf=mysummitwifi | stats count(devtype) as count</P> <P>&amp; if you are looking for distinct count - index="smt_fortigate" host="10.8.12.1" srcintf=mysummitwifi | stats dc(devtype) <BR /> but this only gives the unique values &amp; count of devtype field which is not you are looking for i guess.</P> <P>Thanks</P> Thu, 09 May 2019 23:05:32 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-field-count-rather-than-stats-count/m-p/450621#M171352 PowerPacked 2019-05-09T23:05:32Z https://community.splunk.com/t5/Splunk-Search/How-to-get-field-count-rather-than-stats-count/m-p/450622#M171353 <P>Yeah what you said "index="smt_fortigate" host="10.8.12.1" srcintf=mysummitwifi | stats dc(devtype) <BR /> but this only gives the unique values &amp; count of devtype field" is exactly right. So I was asking the question sort of wrong. </P> <P>ultimately my query ended up looking like this to give me my desired output:<BR /> index="smt_fortigate" host="10.8.12.1" srcintf=mysummitwifi | stats dc(src_mac) by devtype</P> <P>which give me a count of src_mac and groups them by devtype</P> Wed, 30 Sep 2020 00:29:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-field-count-rather-than-stats-count/m-p/450622#M171353 summitsplunk 2020-09-30T00:29:17Z https://community.splunk.com/t5/Splunk-Search/How-to-get-field-count-rather-than-stats-count/m-p/450623#M171354 <P>Like this:</P> <PRE><CODE>index="smt_fortigate" host="10.8.12.1" srcintf=mysummitwifi | stats dc(devtype) </CODE></PRE> Sat, 11 May 2019 05:09:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-field-count-rather-than-stats-count/m-p/450623#M171354 woodcock 2019-05-11T05:09:24Z