topic How to find count for each field value? in Splunk Search

How to find count for each field value?

rakesh44 — Thu, 25 Apr 2019 04:33:23 GMT

Events:

SEVERITY=5, INCIDENT=INC1929283737

Command

index="_internal" component=root OR component=Metrics OR eventtype=splunkd-log OR eventtype=splunkd-access SEVERITY=* INCIDENT=*  | stats count(eval(component="Metrics")) as Metrics_count, count(eval(component="root")) as Root_count, count(eval(eventtype="splunkd-log")) as Splunkd_log_count, count(eval(eventtype="splunkd-access")) as Splunkd_access_count

I want to pull # of incident and severity, when component=root OR component=Metrics OR eventtype=splunkd-log OR eventtype=splunkd-access .... basically it should show, what is severity and incident in table for root:

root severity incident  Metrics severity incident splunkd-log severity incident

Re: How to find count for each field value?

vishaltaneja070 — Thu, 25 Apr 2019 07:35:42 GMT

@rakesh44
Didn't get your proper requirement:

something like this can work for you:
index="_internal" component=root OR component=Metrics OR eventtype=splunkd-log OR eventtype=splunkd-access SEVERITY=* INCIDENT=* | stats values(SEVERITY), count(INCIDENT) by component

if you by both fields i.e. component and eventtype, then use coalesce to convert them into a single field and then use it in stats.

Re: How to find count for each field value?

DMohn — Thu, 25 Apr 2019 08:59:12 GMT

You could try a search like this:

index="_internal" component=root OR component=Metrics OR eventtype=splunkd-log OR eventtype=splunkd-access SEVERITY=* INCIDENT=*  | eval type=case(component="Metrics","Metrics",component="root","Root",eventtype="splunkd-log","Splunkd-Log",eventtype="splunkd-access","Splunkd-Access",1=1,"other") | stats count by type severity | xyseries type severity count

This would give you a table like such:

                  Severity 1      Severity 2    ....
Metrics           1               2
Root              5
Splunkd-Log       6               8
Splunkd-Access                    3

Re: How to find count for each field value?

rakesh44 — Thu, 25 Apr 2019 09:59:48 GMT

Thanks for quick reply unfortunately your command did not worked. Below is my requirement

I have one field called components and under these i have value, root, splunkd_log, metrics and splunkd-access. I have field incident =INC12335 and severity=5 in events.

I want to find how many Incident with severity are raised when component=slunkd_log and component=metrics and component=splunkd-access.

Basically it should show how many Incident with severity is there for when component=slunkd_log

Basically it should show how many Incident with severity is there for when component=metrics

Basically it should show how many Incident with severity is there for when component=splunkd-access.

Basically it should show how many Incident with severity is there for when component=root

Re: How to find count for each field value?

rakesh44 — Thu, 25 Apr 2019 10:00:29 GMT

Thanks for quick reply unfortunately your command did not worked. Below is my requirement

I have one field called components and under these i have value, root, splunkd_log, metrics and splunkd-access. I have field incident =INC12335 and severity=5 in events.

I want to find how many Incident with severity are raised when component=slunkd_log and component=metrics and component=splunkd-access.

Basically it should show how many Incident with severity is there for when component=slunkd_log

Basically it should show how many Incident with severity is there for when component=metrics

Basically it should show how many Incident with severity is there for when component=splunkd-access.

Basically it should show how many Incident with severity is there for when component=root

Re: How to find count for each field value?

DMohn — Thu, 25 Apr 2019 11:34:58 GMT

Okay, if you have a field component in your events, you can use a this search command:

<your base search> | stats count by component, severity

This will give you a overview that will look somehow like this:

component    severity    count   
splunkd_log  5           1
splunkd_log  2           4
metrics      5           2
metrics      4           3

To format this table in a sort of matrix-like view, you may use the xyseries command:

| xyseries component severity count

[...]`

Re: How to find count for each field value?

rakesh44 — Thu, 25 Apr 2019 12:27:03 GMT

index="_internal" component=root OR component=Metrics OR eventtype=splunkd-log OR eventtype=splunkd-access SEVERITY=* INCIDENT=* | stats count by component, severity

index="_internal" component=root OR component=Metrics OR eventtype=splunkd-log OR eventtype=splunkd-access SEVERITY=* INCIDENT=* | xyseries component severity count

Re: How to find count for each field value?

DMohn — Thu, 25 Apr 2019 12:31:27 GMT

index="_internal" component=root OR component=Metrics OR eventtype=splunkd-log OR eventtype=splunkd-access SEVERITY= INCIDENT= | stats count by component, severity | xyseries component severity count

Re: How to find count for each field value?

rakesh44 — Thu, 25 Apr 2019 12:32:50 GMT

My requirement:

component         Incident          Severity               count
root
Metrics
splunkd_log 
splunkd-access

Re: How to find count for each field value?

DMohn — Thu, 25 Apr 2019 12:36:55 GMT

Wait, what sould be the result in the incident row? A count? An incident identifier?

Re: How to find count for each field value?

rakesh44 — Thu, 25 Apr 2019 12:43:12 GMT

Incident and severity is required ( count is not imp )

Re: How to find count for each field value?

woodcock — Fri, 26 Apr 2019 03:51:33 GMT

The stats command is multi-value-friendly so you can just do this:

index="_internal" AND (component IN("root", "Metrics") OR eventtype IN("splunkd-log", "splunkd-access")) AND SEVERITY=* AND INCIDENT=*
| eval component=mvappend(component, eventtype)
| stats count BY component SEVERITY INCIDENT

Re: How to find count for each field value?

rakesh44 — Fri, 26 Apr 2019 04:03:37 GMT

I have removed Incident and severity from command and checked, but its giving all fields of component not specific one.

index="_internal" AND (component IN("root", "Metrics") OR eventtype IN("splunkd-log", "splunkd-access"))
| eval component=mvappend(component, eventtype)
| stats count BY component

Re: How to find count for each field value?

rakesh44 — Fri, 26 Apr 2019 04:19:28 GMT

given command did not worked but below command worked with one issue

index=_internal component=Metrics OR component=root OR eventtype=splunkd-log OR eventtype=splunkd-access
| stats count(eval(component="root")) as root_count,count(eval(component="Metrics")) as "metrics_count", count(eval(eventtype="splunkd-log")) as splunkd-log_count, count(eval(eventtype="splunkd-access")) as splunkd-access-count

Not it should show incident related to component=root, eventtype=splunkd-log, eventtype=splunkd-access, but it is showing some extra Incident which is not related to above fields

Re: How to find count for each field value?

woodcock — Fri, 26 Apr 2019 04:35:23 GMT

It should look exactly like your given example in the comment of one of the other answers. Show me what it is giving now, then show me what you would like it to show.

Re: How to find count for each field value?

woodcock — Fri, 26 Apr 2019 04:38:36 GMT

Are we speaking the same language?

Re: How to find count for each field value?

rakesh44 — Wed, 30 Sep 2020 00:15:10 GMT

Hi woodcock, I got solution thanks for all your effort

index="_internal" component=root OR component=Metrics OR eventtype=splunkd-log OR eventtype=splunkd-access | stats count(eval(component="Metrics")) as Metrics_count, count(eval(component="root")) as Root_count, count(eval(eventtype="splunkd-log")) as Splunkd_log_count, count(eval(eventtype="splunkd-access")) as Splunkd_access_count by INCIDENT,SEVERITY

Re: How to find count for each field value?

rakesh44 — Wed, 30 Sep 2020 00:15:12 GMT

Below is the appropriate command