https://community.splunk.com/t5/Splunk-Search/How-to-get-count-of-unique-values-by-group/m-p/572131#M199393 <P>Pandas nunique() is used to get a count of unique values. It returns the Number of pandas unique values in a column. Pandas <A href="https://exerror.com/" target="_self">DataFrame groupby()</A> method is used to split data of a particular dataset into groups based on some criteria. The groupby() function split the data on any of the axes.</P> Sun, 24 Oct 2021 05:08:22 GMT milanpatel78 2021-10-24T05:08:22Z https://community.splunk.com/t5/Splunk-Search/How-to-get-count-of-unique-values-by-group/m-p/357087#M105638 <P>Hi</P> <P>I am working on query to retrieve count of unique host IPs by user and country. The country has to be grouped into Total vs Total Non-US. The final result would be something like below -</P> <P><STRONG>UserId, Total Unique Hosts, Total Non-US Unique Hosts</STRONG><BR /> user1, 42, 54<BR /> user2, 23, 95</P> <P>So far I have below query which works but its very slow. Is there any better and faster way to achieve desired result ? Thanks</P> <PRE><CODE>index=customindex sourcetype=custom src | iplocation allfields=true lang=code HOST | search Country!=US | stats estdc(HOST) as total_non_us by USERID | join USERID type="left" [ search index=customindex sourcetype=custom src | iplocation allfields=true lang=code HOST | search Country=US | stats estdc(HOST) as total_us by USERID ] | fillnull | eval total = total_non_us + total_us </CODE></PRE> Fri, 16 Mar 2018 15:28:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-count-of-unique-values-by-group/m-p/357087#M105638 indusbull 2018-03-16T15:28:24Z https://community.splunk.com/t5/Splunk-Search/How-to-get-count-of-unique-values-by-group/m-p/357088#M105639 <P>This should run more efficiently by avoiding the <CODE>join</CODE> command and duplicate searching:</P> <PRE><CODE>index=customindex sourcetype=custom src | iplocation allfields=true lang=code HOST | eval us_host=if(Country="US", HOST, NULL), non_us_host=if(Country!="US", HOST, NULL) | stats estdc(us_host) AS total_us, estdc(non_us_host) AS total_non_us BY USERID | fillnull | eval total = total_non_us + total_us </CODE></PRE> Fri, 16 Mar 2018 17:34:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-count-of-unique-values-by-group/m-p/357088#M105639 elliotproebstel 2018-03-16T17:34:46Z https://community.splunk.com/t5/Splunk-Search/How-to-get-count-of-unique-values-by-group/m-p/357089#M105640 <P>@elliotproebstel, I would perform stats first and then apply iplocation to aggregated fields.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Geostats#Usage">http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Geostats#Usage</A><BR /> <A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Lookup#Optimizing_your_lookup_search">http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Lookup#Optimizing_your_lookup_search</A></P> <PRE><CODE>index=customindex sourcetype=custom src | stats count BY USERID HOST | iplocation allfields=true lang=code HOST | eval us_host=if(Country="US", HOST, NULL), non_us_host=if(Country!="US", HOST, NULL) | stats dc(us_host) AS total_us, dc(non_us_host) AS total_non_us BY USERID | addtotals row=t col=f </CODE></PRE> <P>@indusbull, can you explain why you are trying to use <CODE>estdc()</CODE> and not <CODE>dc()</CODE>?</P> Fri, 16 Mar 2018 19:02:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-count-of-unique-values-by-group/m-p/357089#M105640 niketn 2018-03-16T19:02:02Z https://community.splunk.com/t5/Splunk-Search/How-to-get-count-of-unique-values-by-group/m-p/357090#M105641 <P>Good point, thanks!</P> Fri, 16 Mar 2018 20:02:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-count-of-unique-values-by-group/m-p/357090#M105641 elliotproebstel 2018-03-16T20:02:12Z https://community.splunk.com/t5/Splunk-Search/How-to-get-count-of-unique-values-by-group/m-p/357091#M105642 <P>@niketnilay I was using dc initially but since it was taking long time I decided to try estdc since splunk doc mentions that estdc can give better performance.</P> Fri, 16 Mar 2018 20:02:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-count-of-unique-values-by-group/m-p/357091#M105642 indusbull 2018-03-16T20:02:51Z https://community.splunk.com/t5/Splunk-Search/How-to-get-count-of-unique-values-by-group/m-p/512932#M143907 <P><SPAN>Pandas nunique() is used to get a count of unique values. It returns the Number of&nbsp;</SPAN><A href="https://appdividend.com/2020/05/25/pandas-unique-pandas-series-unique-in-python/" target="_blank" rel="noopener noreferrer nofollow">pandas unique values</A><SPAN>&nbsp;in a column.&nbsp;&nbsp;<A href="https://appdividend.com/2020/06/02/pandas-dataframe-groupby-method-in-python/" target="_blank" rel="noopener">Pandas DataFrame groupby()</A> method is used to split data of a particular dataset into groups based on some criteria. The groupby() function split the data on any of the axes.&nbsp;</SPAN></P> Fri, 07 Aug 2020 06:38:16 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-count-of-unique-values-by-group/m-p/512932#M143907 rushabh92 2020-08-07T06:38:16Z https://community.splunk.com/t5/Splunk-Search/How-to-get-count-of-unique-values-by-group/m-p/572131#M199393 <P>Pandas nunique() is used to get a count of unique values. It returns the Number of pandas unique values in a column. Pandas <A href="https://exerror.com/" target="_self">DataFrame groupby()</A> method is used to split data of a particular dataset into groups based on some criteria. The groupby() function split the data on any of the axes.</P> Sun, 24 Oct 2021 05:08:22 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-count-of-unique-values-by-group/m-p/572131#M199393 milanpatel78 2021-10-24T05:08:22Z