https://community.splunk.com/t5/Splunk-Search/Distinct-counts-on-only-those-fields-that-begin-with-a/m-p/571422#M199123 <P>Hi KV</P><P>Thanks for this. It's wasn't quite what I needed but got me on the right path to working it out. This is how I changed it and it appears to be working how I need with my original data.&nbsp;</P><P>index=searchdata domain="*edublogs*"<BR />| eval distinctCenters=Case(Like(domain,"edublogs%"), centre)<BR />| eval distinctUserids=Case(Like(domain,"edublogs%"), userid)<BR />| eventstats dc(distinctCenters) as distinctCenters, dc(distinctUserids) as distinctUserids by domain<BR />| stats count, sum(bytes) AS totalBytes by domain, distinctCenters, distinctUserids<BR />| table domain totalBytes, distinctCenters, distinctUserids</P><P>deton0</P> Mon, 18 Oct 2021 22:01:01 GMT deton0 2021-10-18T22:01:01Z https://community.splunk.com/t5/Splunk-Search/Distinct-counts-on-only-those-fields-that-begin-with-a/m-p/571253#M199055 <P>Hi</P><P>I'm searching on an internet usage index for events that contain a particular word somewhere in the domain. For example the word could be "edublogs".</P><P>From the result, I need to sum the total of bytes downloaded for all events returned. The problem I'm having is needing to calculate a distinct count of centers and a distinct count of userids where the domain name only begins with "edublogs", e.g. "edublogs.com" and not when it doesn't, e.g.&nbsp; "accountsedublogs.com".</P><P>I know this example is wrong but can someone please help me with how I would change it to achieve the outcome below?</P><P>index=searchdata domain="*edublogs*"<BR />| stats count dc(centre) AS distinctCenters<BR />| stats count dc(userid) AS distinctUserids<BR /><SPAN>| stats sum(bytes) AS totalBytes by domain<BR /></SPAN>| table domain totalBytes, distinctCenters, distinctUserids</P><P>My desired results would look something like...<BR />domain totalBytes distinctCenters distinctUserids<BR />Senior 50000 15 321</P><P>Many thanks</P> Mon, 18 Oct 2021 03:59:20 GMT https://community.splunk.com/t5/Splunk-Search/Distinct-counts-on-only-those-fields-that-begin-with-a/m-p/571253#M199055 deton0 2021-10-18T03:59:20Z https://community.splunk.com/t5/Splunk-Search/Distinct-counts-on-only-those-fields-that-begin-with-a/m-p/571261#M199057 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/37814">@deton0</a>&nbsp;</P><P>Can you please try this?</P><LI-CODE lang="markup">index=searchdata domain="*edublogs*" | stats count dc(centre) AS distinctCenters, dc(userid) AS distinctUserids, sum(bytes) AS totalBytes by domain | table domain totalBytes, distinctCenters, distinctUserids</LI-CODE><P>&nbsp;</P><P>KV&nbsp;</P> Mon, 18 Oct 2021 05:21:32 GMT https://community.splunk.com/t5/Splunk-Search/Distinct-counts-on-only-those-fields-that-begin-with-a/m-p/571261#M199057 kamlesh_vaghela 2021-10-18T05:21:32Z https://community.splunk.com/t5/Splunk-Search/Distinct-counts-on-only-those-fields-that-begin-with-a/m-p/571422#M199123 <P>Hi KV</P><P>Thanks for this. It's wasn't quite what I needed but got me on the right path to working it out. This is how I changed it and it appears to be working how I need with my original data.&nbsp;</P><P>index=searchdata domain="*edublogs*"<BR />| eval distinctCenters=Case(Like(domain,"edublogs%"), centre)<BR />| eval distinctUserids=Case(Like(domain,"edublogs%"), userid)<BR />| eventstats dc(distinctCenters) as distinctCenters, dc(distinctUserids) as distinctUserids by domain<BR />| stats count, sum(bytes) AS totalBytes by domain, distinctCenters, distinctUserids<BR />| table domain totalBytes, distinctCenters, distinctUserids</P><P>deton0</P> Mon, 18 Oct 2021 22:01:01 GMT https://community.splunk.com/t5/Splunk-Search/Distinct-counts-on-only-those-fields-that-begin-with-a/m-p/571422#M199123 deton0 2021-10-18T22:01:01Z