https://community.splunk.com/t5/Splunk-Search/How-to-get-multiple-distinct-counts-for-subset-of-logs-in-single/m-p/619974#M215489 <P>Hello, I am currently using the |append method for some queries, but was curious if there is a better way for me to be writing these? We are trying to create a single alert that could be triggered by various conditions such as total number of failures or total number of unique customer failures. The following is a simplified example of what I am currently doing and would like to improve if anyone knows how:</P><P>&nbsp;</P><LI-CODE lang="markup">"base query stuff" | stats count as TOTAL count(eval(SEVERITY="INFO")) as SUCCESS count(eval(SEVERITY="SOAP-FAULT")) as FAULT count(eval(SEVERITY!="INFO" AND SEVERITY!="SOAP-FAULT")) as ERROR | append [search "base query stuff" SEVERITY="SOAP-FAULT" | stats dc(userId) as UNIQUE_FAULT] | where UNIQUE_FAULT &gt; 10 OR FAULT &gt; 20 OR ERROR &gt; 30</LI-CODE><P>&nbsp;</P><P>I would also love to be able to create a table with all of&nbsp; this data (hence the success variable), which contains the totals of each and unique customer impacts of each!&nbsp;</P> Mon, 07 Nov 2022 19:16:36 GMT Damek 2022-11-07T19:16:36Z https://community.splunk.com/t5/Splunk-Search/How-to-get-multiple-distinct-counts-for-subset-of-logs-in-single/m-p/619974#M215489 <P>Hello, I am currently using the |append method for some queries, but was curious if there is a better way for me to be writing these? We are trying to create a single alert that could be triggered by various conditions such as total number of failures or total number of unique customer failures. The following is a simplified example of what I am currently doing and would like to improve if anyone knows how:</P><P>&nbsp;</P><LI-CODE lang="markup">"base query stuff" | stats count as TOTAL count(eval(SEVERITY="INFO")) as SUCCESS count(eval(SEVERITY="SOAP-FAULT")) as FAULT count(eval(SEVERITY!="INFO" AND SEVERITY!="SOAP-FAULT")) as ERROR | append [search "base query stuff" SEVERITY="SOAP-FAULT" | stats dc(userId) as UNIQUE_FAULT] | where UNIQUE_FAULT &gt; 10 OR FAULT &gt; 20 OR ERROR &gt; 30</LI-CODE><P>&nbsp;</P><P>I would also love to be able to create a table with all of&nbsp; this data (hence the success variable), which contains the totals of each and unique customer impacts of each!&nbsp;</P> Mon, 07 Nov 2022 19:16:36 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-multiple-distinct-counts-for-subset-of-logs-in-single/m-p/619974#M215489 Damek 2022-11-07T19:16:36Z https://community.splunk.com/t5/Splunk-Search/How-to-get-multiple-distinct-counts-for-subset-of-logs-in-single/m-p/620041#M215522 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/251032">@Damek</a>&nbsp;</P><P>If your base search is common for both searches then you can try this.</P><LI-CODE lang="markup">"base query stuff" | eval SOAP_FAULT_userId = if(SEVERITY=="SOAP-FAULT",userId,null()) | stats count as TOTAL count(eval(SEVERITY="INFO")) as SUCCESS count(eval(SEVERITY="SOAP-FAULT")) as FAULT count(eval(SEVERITY!="INFO" AND SEVERITY!="SOAP-FAULT")) as ERROR dc(SOAP_FAULT_userId) as Splunk</LI-CODE><P>&nbsp;</P><P><STRONG>My Sample Search :</STRONG></P><LI-CODE lang="markup">| makeresults | eval _raw="SEVERITY,userId INFO,1 INFO,1 SOAP-FAULT,1 SOAP-FAULT,2 INFO1,1 INFO2,1 OTHER_INFO,1 INFO,1 SOAP-FAULT,1 " | multikv forceheader=1 | table SEVERITY userId | rename comment as "upto this is sample data" | eval SOAP_FAULT_userId = if(SEVERITY=="SOAP-FAULT",userId,null()) | stats count as TOTAL count(eval(SEVERITY="INFO")) as SUCCESS count(eval(SEVERITY="SOAP-FAULT")) as FAULT count(eval(SEVERITY!="INFO" AND SEVERITY!="SOAP-FAULT")) as ERROR dc(SOAP_FAULT_userId) as Splunk</LI-CODE><P>&nbsp;</P><P>I hope this will help you.</P><P>Thanks<BR />KV<BR />If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.</P><P>&nbsp;</P> Tue, 08 Nov 2022 06:07:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-multiple-distinct-counts-for-subset-of-logs-in-single/m-p/620041#M215522 kamlesh_vaghela 2022-11-08T06:07:11Z https://community.splunk.com/t5/Splunk-Search/How-to-get-multiple-distinct-counts-for-subset-of-logs-in-single/m-p/620051#M215527 <P>In your first stats you can do the dc with this</P><LI-CODE lang="markup">dc(eval(if(SEVERITY="SOAP-FAULT", userId, null))) as UNIQUE_FAULT</LI-CODE><P>&nbsp;</P> Tue, 08 Nov 2022 06:46:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-multiple-distinct-counts-for-subset-of-logs-in-single/m-p/620051#M215527 bowesmana 2022-11-08T06:46:09Z