https://community.splunk.com/t5/Splunk-Search/Get-Source-Count-value/m-p/247463#M189123 <P>Hi,</P> <P>The following query below returns the output as shown below :</P> <P>Query:</P> <P>index="79390-np" sourcetype=np-cache-v2 source="*bp_detail*" |fields deviceId,bpRuleId | join deviceId [search index="79390-np" sourcetype=np-cache-v2 source="*bp_detail*"] | join bpRuleId [search index="79390-np" sourcetype=np-cache-v2 source="*bp_summary*" bpPrimaryTechnology="*"] | eval Month=strftime(_time,"%b %Y") | stats count as "totalExceptions",dc(source) as "sourcecount", dc(deviceId) as "uniquedevices" by Month</P> <P>Output:</P> <P>Month totalExceptions sourcecount uniquedevices<BR /> Feb 2016 181698 1 4197<BR /> Mar 2016 550648 1 4242</P> <P>Source data for Feb: bp_detail1.gz<BR /> Source data or March : bp_detail2.gz, bp_detail3.gz and bp_detail4.gz</P> <P>In the query above "dc(source) as sourcecount" returns the source count as "1" . I am expecting to some how get the original source count as "3" for March<BR /> since there are three source files meeting the criteria(source="*bp_detail*" ) for month of March. I need this count to find an average month wise.Please let me know.</P> <P>Thanks.</P> Tue, 29 Sep 2020 09:05:53 GMT amoldesai 2020-09-29T09:05:53Z https://community.splunk.com/t5/Splunk-Search/Get-Source-Count-value/m-p/247463#M189123 <P>Hi,</P> <P>The following query below returns the output as shown below :</P> <P>Query:</P> <P>index="79390-np" sourcetype=np-cache-v2 source="*bp_detail*" |fields deviceId,bpRuleId | join deviceId [search index="79390-np" sourcetype=np-cache-v2 source="*bp_detail*"] | join bpRuleId [search index="79390-np" sourcetype=np-cache-v2 source="*bp_summary*" bpPrimaryTechnology="*"] | eval Month=strftime(_time,"%b %Y") | stats count as "totalExceptions",dc(source) as "sourcecount", dc(deviceId) as "uniquedevices" by Month</P> <P>Output:</P> <P>Month totalExceptions sourcecount uniquedevices<BR /> Feb 2016 181698 1 4197<BR /> Mar 2016 550648 1 4242</P> <P>Source data for Feb: bp_detail1.gz<BR /> Source data or March : bp_detail2.gz, bp_detail3.gz and bp_detail4.gz</P> <P>In the query above "dc(source) as sourcecount" returns the source count as "1" . I am expecting to some how get the original source count as "3" for March<BR /> since there are three source files meeting the criteria(source="*bp_detail*" ) for month of March. I need this count to find an average month wise.Please let me know.</P> <P>Thanks.</P> Tue, 29 Sep 2020 09:05:53 GMT https://community.splunk.com/t5/Splunk-Search/Get-Source-Count-value/m-p/247463#M189123 amoldesai 2020-09-29T09:05:53Z https://community.splunk.com/t5/Splunk-Search/Get-Source-Count-value/m-p/247464#M189124 <P>Remove the final <CODE>|stats</CODE> and look at the data you're feeding into it. I'm guessing there's only one <CODE>source</CODE> value for March, probably because of all those <CODE>join</CODE>s. Seeing through what those do for your data is impossible from over here.</P> <P>For a few alternatives check out <A href="https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-join-append-or-use-of-subsearches.html">https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-join-append-or-use-of-subsearches.html</A></P> Mon, 14 Mar 2016 17:40:54 GMT https://community.splunk.com/t5/Splunk-Search/Get-Source-Count-value/m-p/247464#M189124 martin_mueller 2016-03-14T17:40:54Z https://community.splunk.com/t5/Splunk-Search/Get-Source-Count-value/m-p/247465#M189125 <P>I do know that after all the joins there is one source value for March. But how do I get the original source count . Is there a way to save the source count in a variable before those joins so that I can refer it later for average calculation.Please let me know. </P> <P>Thanks</P> Tue, 15 Mar 2016 16:47:43 GMT https://community.splunk.com/t5/Splunk-Search/Get-Source-Count-value/m-p/247465#M189125 amoldesai 2016-03-15T16:47:43Z https://community.splunk.com/t5/Splunk-Search/Get-Source-Count-value/m-p/247466#M189126 <P>I don't see a point in trying to fix a bunch of joins without knowing the data and requirements for the result - it'll just end in tears.</P> <P>For example, what original source count are you looking for? You have three searches, so there are three original source counts to choose from?</P> Tue, 15 Mar 2016 17:35:39 GMT https://community.splunk.com/t5/Splunk-Search/Get-Source-Count-value/m-p/247466#M189126 martin_mueller 2016-03-15T17:35:39Z https://community.splunk.com/t5/Splunk-Search/Get-Source-Count-value/m-p/247467#M189127 <P>Thanks for looking into it. I am looking to get the source count for <EM>bp_detail</EM>. It has three source files for March and one for Feb. I have mentioned more about it in my first mail.</P> <P>Thanks</P> Wed, 16 Mar 2016 10:07:46 GMT https://community.splunk.com/t5/Splunk-Search/Get-Source-Count-value/m-p/247467#M189127 amoldesai 2016-03-16T10:07:46Z