https://community.splunk.com/t5/Splunk-Search/How-to-count-unique-events-pr-class/m-p/445256#M171582 <P>Thanks for you reply. First one is close, but I would like to group it together.<BR /> Last one only counts number of colors, ignoring the number of cars in each color pr car group.</P> <P>Your first result</P> <PRE><CODE>car color count BMW black 1 Ford blue 1 Ford green 1 Opel blue 1 Opel green 1 Opel yellow 2 </CODE></PRE> <P>If you look at my request, I would like one multivalue Opel with list of colors and the number of cars in each color.</P> Thu, 02 May 2019 07:10:25 GMT lakromani 2019-05-02T07:10:25Z https://community.splunk.com/t5/Splunk-Search/How-to-count-unique-events-pr-class/m-p/445254#M171580 <P>I need help with <STRONG>stats</STRONG> in Splunk</P> <P>Let's say you have these example data:</P> <PRE><CODE>| stats count | eval car="Opel" | eval color="green" | append [| stats count | eval car="Ford" | eval color="blue"] | append [| stats count | eval car="Opel" | eval color="yellow"] | append [| stats count | eval car="BMW" | eval color="black"] | append [| stats count | eval car="Opel" | eval color="yellow"] | append [| stats count | eval car="Ford" | eval color="green"] | append [| stats count | eval car="Opel" | eval color="blue"] | fields - count </CODE></PRE> <P>Running it gives this table:</P> <PRE><CODE>*car* *color* Opel green Ford blue Opel yellow BMW black Opel yellow Ford green Opel blue </CODE></PRE> <P>I need to create a table that counts number of car in each color pr each car type.</P> <P>This is close, but not correct (it counts total cars and list the different colors)</P> <PRE><CODE>| stats count | eval car="Opel" | eval color="green" | append [| stats count | eval car="Ford" | eval color="blue"] | append [| stats count | eval car="Opel" | eval color="yellow"] | append [| stats count | eval car="BMW" | eval color="black"] | append [| stats count | eval car="Opel" | eval color="yellow"] | append [| stats count | eval car="Ford" | eval color="green"] | append [| stats count | eval car="Opel" | eval color="blue"] | fields - count | stats count values(color) by car car count values(color) BMW 1 black Ford 2 blue green Opel 4 blue green yellow </CODE></PRE> <P>Here is how I would like the output to be: (count number of car pr color pr each car type</P> <PRE><CODE>car count values(color) BMW 1 black Ford 1 blue 1 green Opel 1 blue 1 green 2 yellow </CODE></PRE> Thu, 02 May 2019 06:53:18 GMT https://community.splunk.com/t5/Splunk-Search/How-to-count-unique-events-pr-class/m-p/445254#M171580 lakromani 2019-05-02T06:53:18Z https://community.splunk.com/t5/Splunk-Search/How-to-count-unique-events-pr-class/m-p/445255#M171581 <P>Hi @lakromani,</P> <P>What you're looking for is a <CODE>...| stats count by car, color</CODE> with some magic.</P> <P>This should do the trick, let me know if it works out for you :</P> <PRE><CODE>| stats count | eval car="Opel" | eval color="green" | append [| stats count | eval car="Ford" | eval color="blue"] | append [| stats count | eval car="Opel" | eval color="yellow"] | append [| stats count | eval car="BMW" | eval color="black"] | append [| stats count | eval car="Opel" | eval color="yellow"] | append [| stats count | eval car="Ford" | eval color="green"] | append [| stats count | eval car="Opel" | eval color="blue"] | stats count by car, color | sort -count |stats list(color) as color list(count) as count by car </CODE></PRE> <P>Cheers,<BR /> David</P> Thu, 02 May 2019 06:58:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-count-unique-events-pr-class/m-p/445255#M171581 DavidHourani 2019-05-02T06:58:55Z https://community.splunk.com/t5/Splunk-Search/How-to-count-unique-events-pr-class/m-p/445256#M171582 <P>Thanks for you reply. First one is close, but I would like to group it together.<BR /> Last one only counts number of colors, ignoring the number of cars in each color pr car group.</P> <P>Your first result</P> <PRE><CODE>car color count BMW black 1 Ford blue 1 Ford green 1 Opel blue 1 Opel green 1 Opel yellow 2 </CODE></PRE> <P>If you look at my request, I would like one multivalue Opel with list of colors and the number of cars in each color.</P> Thu, 02 May 2019 07:10:25 GMT https://community.splunk.com/t5/Splunk-Search/How-to-count-unique-events-pr-class/m-p/445256#M171582 lakromani 2019-05-02T07:10:25Z https://community.splunk.com/t5/Splunk-Search/How-to-count-unique-events-pr-class/m-p/445257#M171583 <P>From your answer I did make this workaround. Not the best.<BR /> Can not this be done in stats directly?</P> <PRE><CODE>| stats count by car, color | eval info=color.":".count | stats values(info) by car car values(info) BMW black:1 Ford blue:1 green:1 Opel blue:1 green:1 yellow:2 </CODE></PRE> Thu, 02 May 2019 07:14:13 GMT https://community.splunk.com/t5/Splunk-Search/How-to-count-unique-events-pr-class/m-p/445257#M171583 lakromani 2019-05-02T07:14:13Z https://community.splunk.com/t5/Splunk-Search/How-to-count-unique-events-pr-class/m-p/445258#M171584 <P>I edited my answer <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> try again with the new query above <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> </P> Thu, 02 May 2019 07:18:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-count-unique-events-pr-class/m-p/445258#M171584 DavidHourani 2019-05-02T07:18:09Z https://community.splunk.com/t5/Splunk-Search/How-to-count-unique-events-pr-class/m-p/445259#M171585 <P>Ahh, did work perfectly, thanks.<BR /> Accepted <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 02 May 2019 07:26:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-count-unique-events-pr-class/m-p/445259#M171585 lakromani 2019-05-02T07:26:51Z https://community.splunk.com/t5/Splunk-Search/How-to-count-unique-events-pr-class/m-p/445260#M171586 <P>Just a side note, there is <CODE>| makeresults</CODE> for when you want to create an event without any data. It's better than <CODE>stats</CODE> because it can run directly on the search head. It's also got a <CODE>count</CODE> attribute for when you need more than one event, check the docs <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Makeresults">here</A>.</P> Thu, 02 May 2019 07:32:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-count-unique-events-pr-class/m-p/445260#M171586 jeffland 2019-05-02T07:32:43Z https://community.splunk.com/t5/Splunk-Search/How-to-count-unique-events-pr-class/m-p/445261#M171587 <P>I know about the <CODE>makeresult</CODE>, but did not find any solution on how to add cars and colors. Can you give me a hint?</P> Thu, 02 May 2019 07:57:29 GMT https://community.splunk.com/t5/Splunk-Search/How-to-count-unique-events-pr-class/m-p/445261#M171587 lakromani 2019-05-02T07:57:29Z https://community.splunk.com/t5/Splunk-Search/How-to-count-unique-events-pr-class/m-p/445262#M171588 <P>it's actually pretty easy, similar to what you did but with <CODE>makeresults</CODE> instead of <CODE>|stats count</CODE> :</P> <PRE><CODE>|makeresults | eval car="Opel" | eval color="green" | append [| makeresults | eval car="Ford" | eval color="blue"] | append [| makeresults | eval car="Opel" | eval color="yellow"] | append [| makeresults | eval car="BMW" | eval color="black"] | append [| makeresults | eval car="Opel" | eval color="yellow"] | append [| makeresults | eval car="Ford" | eval color="green"] | append [|makeresults | eval car="Opel" | eval color="blue"] </CODE></PRE> Thu, 02 May 2019 08:01:36 GMT https://community.splunk.com/t5/Splunk-Search/How-to-count-unique-events-pr-class/m-p/445262#M171588 DavidHourani 2019-05-02T08:01:36Z