topic Re: How to get count ? in Splunk Search

How to get count ?

MG — Tue, 06 Jun 2023 10:21:14 GMT

I have a table in splunk with columns
|table _time idx Event_count IsOutlier Actual_outlier atf_hour_of_day atf_day_of_week lowerBound upperBound Email_Alert X X1 outlier_high_index outlier_low_index

I need to check how many times an index appears in the idx column. I can use |stats count by idx. It will give only the columns idx and count. But I need all the other columns as well..

Re: How to get count ?

javiergn — Tue, 06 Jun 2023 10:31:28 GMT

Hi @MG , you can use eventstats instead of stats for that as in | eventstats count by idx.

Hope that helps.

Re: How to get count ?

gcusello — Tue, 06 Jun 2023 10:34:16 GMT

Hi @MG,

you have to use the values option in the stats command:

<your_search> | stats earliest(_time) AS _time values(Event_count) AS Event_count values(IsOutlier) AS IsOutlier values(Actual_outlier) AS Actual_outlier values(atf_hour_of_day) AS atf_hour_of_day values(atf_day_of_week) AS atf_day_of_week values(lowerBound) AS lowerBound values(upperBound) AS upperBound values(Email_Alert) AS Email_Alert values(X) AS X values(X1) AS X1 values(outlier_high_index) AS outlier_high_index values(outlier_low_inde) AS outlier_low_index count BY idx | table _time idx Event_count IsOutlier Actual_outlier atf_hour_of_day atf_day_of_week lowerBound upperBound Email_Alert X X1 outlier_high_index outlier_low_index count

In this way you aggregate events grouped by idx, but you could have more values for each field.

ciao.

Giuseppe