https://community.splunk.com/t5/Splunk-Search/Need-count-for-fields-value/m-p/409385#M171824 <P>Hi Friends,</P> <P>I have two field component and eventtype, need count of component=root and component=Metrics and venttype=splunkd-log and eventtype=splunkd-access .</P> <P>Am using below command but getting count of components only not eventtype, morover my data is big can we used tstats command in such case.Thanks</P> <P>index="_internal" component=root OR component=Metrics OR eventtype=splunkd-log OR eventtype=splunkd-access | stats count by component</P> Wed, 17 Apr 2019 05:10:54 GMT rakesh44 2019-04-17T05:10:54Z https://community.splunk.com/t5/Splunk-Search/Need-count-for-fields-value/m-p/409385#M171824 <P>Hi Friends,</P> <P>I have two field component and eventtype, need count of component=root and component=Metrics and venttype=splunkd-log and eventtype=splunkd-access .</P> <P>Am using below command but getting count of components only not eventtype, morover my data is big can we used tstats command in such case.Thanks</P> <P>index="_internal" component=root OR component=Metrics OR eventtype=splunkd-log OR eventtype=splunkd-access | stats count by component</P> Wed, 17 Apr 2019 05:10:54 GMT https://community.splunk.com/t5/Splunk-Search/Need-count-for-fields-value/m-p/409385#M171824 rakesh44 2019-04-17T05:10:54Z https://community.splunk.com/t5/Splunk-Search/Need-count-for-fields-value/m-p/409386#M171825 <P>@rakesh44 <BR /> You can use <CODE>eval()</CODE> to get the count of specific value.<BR /> Check below search:</P> <PRE><CODE>index="_internal" component=root OR component=Metrics OR eventtype=splunkd-log OR eventtype=splunkd-access | stats count(eval(component="Metrics")) as Metrics_count, count(eval(component="root")) as Root_count, count(eval(eventtype="splunkd-log")) as Splunkd_log_count, count(eval(eventtype="splunkd-access")) as Splunkd_access_count </CODE></PRE> Wed, 17 Apr 2019 05:29:33 GMT https://community.splunk.com/t5/Splunk-Search/Need-count-for-fields-value/m-p/409386#M171825 kamlesh_vaghela 2019-04-17T05:29:33Z https://community.splunk.com/t5/Splunk-Search/Need-count-for-fields-value/m-p/409387#M171826 <P>Thanks Kamlesh for quick reply</P> <P>Its works for me, can we expedite search its very slow , I have many events.</P> Wed, 17 Apr 2019 05:59:56 GMT https://community.splunk.com/t5/Splunk-Search/Need-count-for-fields-value/m-p/409387#M171826 rakesh44 2019-04-17T05:59:56Z https://community.splunk.com/t5/Splunk-Search/Need-count-for-fields-value/m-p/409388#M171827 <P>@rakesh44</P> <P>Can you please try this search for performace?</P> <PRE><CODE>| tstats count(eval(component="Metrics")) as Metrics_count, count(eval(component="root")) as Root_count, count(eval(eventtype="splunkd-log")) as Splunkd_log_count, count(eval(eventtype="splunkd-access")) as Splunkd_access_count count from datamodel=internal_server WHERE component=root OR component=Metrics OR eventtype=splunkd-log OR eventtype=splunkd-access </CODE></PRE> Wed, 17 Apr 2019 06:52:19 GMT https://community.splunk.com/t5/Splunk-Search/Need-count-for-fields-value/m-p/409388#M171827 kamlesh_vaghela 2019-04-17T06:52:19Z https://community.splunk.com/t5/Splunk-Search/Need-count-for-fields-value/m-p/409389#M171828 <P>Thanks Kamlesh for quick reply</P> <P>Tried with given command , but ending with error</P> <P>Error in 'TsidxStats': The tstats / mstats command cannot apply eval function to aggregation function. </P> Wed, 17 Apr 2019 08:12:22 GMT https://community.splunk.com/t5/Splunk-Search/Need-count-for-fields-value/m-p/409389#M171828 rakesh44 2019-04-17T08:12:22Z https://community.splunk.com/t5/Splunk-Search/Need-count-for-fields-value/m-p/409390#M171829 <P>@rakesh44 </P> <P>It's working for me in Splunk 7.2.3. Check below link.</P> <P><A href="https://drive.google.com/open?id=1DCEOpNokZBA6OLW6m7MxgJYVZFPcmvzz">https://drive.google.com/open?id=1DCEOpNokZBA6OLW6m7MxgJYVZFPcmvzz</A></P> <P>Can you please share your search if you have changed and Splunk version information?</P> Wed, 17 Apr 2019 09:01:02 GMT https://community.splunk.com/t5/Splunk-Search/Need-count-for-fields-value/m-p/409390#M171829 kamlesh_vaghela 2019-04-17T09:01:02Z https://community.splunk.com/t5/Splunk-Search/Need-count-for-fields-value/m-p/409391#M171830 <P>appreciate for your help</P> Wed, 17 Apr 2019 11:16:51 GMT https://community.splunk.com/t5/Splunk-Search/Need-count-for-fields-value/m-p/409391#M171830 rakesh44 2019-04-17T11:16:51Z https://community.splunk.com/t5/Splunk-Search/Need-count-for-fields-value/m-p/409392#M171831 <P>index="_internal" component=root OR component=Metrics OR eventtype=splunkd-log OR eventtype=splunkd-access | stats count(eval(component="Metrics")) as Metrics_count, count(eval(component="root")) as Root_count, count(eval(eventtype="splunkd-log")) as Splunkd_log_count, count(eval(eventtype="splunkd-access")) as Splunkd_access_count</P> <P>If you want to improve performance use below command ( Both command are working fine )</P> <P>| tstats count(eval(component="Metrics")) as Metrics_count, count(eval(component="root")) as Root_count, count(eval(eventtype="splunkd-log")) as Splunkd_log_count, count(eval(eventtype="splunkd-access")) as Splunkd_access_count count from datamodel=internal_server WHERE component=root OR component=Metrics OR eventtype=splunkd-log OR eventtype=splunkd-access</P> Wed, 30 Sep 2020 00:06:26 GMT https://community.splunk.com/t5/Splunk-Search/Need-count-for-fields-value/m-p/409392#M171831 rakesh44 2020-09-30T00:06:26Z https://community.splunk.com/t5/Splunk-Search/Need-count-for-fields-value/m-p/409393#M171832 <P>I dont see option to accept your answer and hence posting your answer again</P> Wed, 17 Apr 2019 11:19:10 GMT https://community.splunk.com/t5/Splunk-Search/Need-count-for-fields-value/m-p/409393#M171832 rakesh44 2019-04-17T11:19:10Z https://community.splunk.com/t5/Splunk-Search/Need-count-for-fields-value/m-p/409394#M171833 <P>@rakesh44</P> <P>Now you can mark it Accept. </P> Wed, 17 Apr 2019 12:07:27 GMT https://community.splunk.com/t5/Splunk-Search/Need-count-for-fields-value/m-p/409394#M171833 kamlesh_vaghela 2019-04-17T12:07:27Z