https://community.splunk.com/t5/Splunk-Search/Distinct-count-of-one-field-when-second-field-matches-string-200/m-p/87677#M22414 <P>Hi I am trying two get distinct count of field1 when field2 contains string 200, 500, 400 etc and i am trying to summary index it. i cannot dedup it before eval function as same field1 value can exist in for another response</P> <PRE><CODE>eval response=case(rsppcode LIKE "%200%", 200, rsppcode LIKE "%401%", 401, rsppcode LIKE "%403%", 403, rsppcode LIKE "%404%", 404, rsppcode LIKE "%409%", 409, rsppcode LIKE "%504%", 504, rsppcode LIKE "%500%", 500, rsppcode LIKE "%422%", 422, rsppcode LIKE "%550%", 550, rsppcode LIKE "%", Others ) | timechart span=5min dc(field1) by response </CODE></PRE> <P>tried this one but when summaryindexed. it was unable to recognise response field as it is eval field. all response count is under null.</P> <P>Normal output</P> <PRE><CODE>_time 200 401 403 404 409 422 500 504 NULL 1 4/8/13 9:40:00.000 AM 2151 2 9 87 9 108 2 4/8/13 9:45:00.000 AM 2746 10 17 333 4 2 41 862 3 4/8/13 9:50:00.000 AM 2770 11 17 359 2 49 827 </CODE></PRE> <P>output from summaryindex </P> <P>time nulll<BR /> somevalue somevalue</P> <P>Please advise..</P> Mon, 08 Apr 2013 17:50:46 GMT praveenvemuri 2013-04-08T17:50:46Z https://community.splunk.com/t5/Splunk-Search/Distinct-count-of-one-field-when-second-field-matches-string-200/m-p/87677#M22414 <P>Hi I am trying two get distinct count of field1 when field2 contains string 200, 500, 400 etc and i am trying to summary index it. i cannot dedup it before eval function as same field1 value can exist in for another response</P> <PRE><CODE>eval response=case(rsppcode LIKE "%200%", 200, rsppcode LIKE "%401%", 401, rsppcode LIKE "%403%", 403, rsppcode LIKE "%404%", 404, rsppcode LIKE "%409%", 409, rsppcode LIKE "%504%", 504, rsppcode LIKE "%500%", 500, rsppcode LIKE "%422%", 422, rsppcode LIKE "%550%", 550, rsppcode LIKE "%", Others ) | timechart span=5min dc(field1) by response </CODE></PRE> <P>tried this one but when summaryindexed. it was unable to recognise response field as it is eval field. all response count is under null.</P> <P>Normal output</P> <PRE><CODE>_time 200 401 403 404 409 422 500 504 NULL 1 4/8/13 9:40:00.000 AM 2151 2 9 87 9 108 2 4/8/13 9:45:00.000 AM 2746 10 17 333 4 2 41 862 3 4/8/13 9:50:00.000 AM 2770 11 17 359 2 49 827 </CODE></PRE> <P>output from summaryindex </P> <P>time nulll<BR /> somevalue somevalue</P> <P>Please advise..</P> Mon, 08 Apr 2013 17:50:46 GMT https://community.splunk.com/t5/Splunk-Search/Distinct-count-of-one-field-when-second-field-matches-string-200/m-p/87677#M22414 praveenvemuri 2013-04-08T17:50:46Z https://community.splunk.com/t5/Splunk-Search/Distinct-count-of-one-field-when-second-field-matches-string-200/m-p/87678#M22415 <P>Try this - put the values for response in quotes </P> <PRE><CODE>eval response=case(rsppcode LIKE "%200%", "200", rsppcode LIKE "%401%", "401", rsppcode LIKE "%403%", "403", rsppcode LIKE "%404%", "404", rsppcode LIKE "%409%", "409", rsppcode LIKE "%504%", "504", rsppcode LIKE "%500%", "500", rsppcode LIKE "%422%", "422", rsppcode LIKE "%550%", "550", rsppcode LIKE "%", "Others" ) | timechart span=5min dc(field1) by response </CODE></PRE> <P>I also recommend that you use <CODE>sitimechart</CODE> instead of <CODE>timechart</CODE> for summary indexing. Look <A href="http://docs.splunk.com/Documentation/Splunk/5.0.2/Knowledge/Usesummaryindexing#Use_the_summary_indexing_reporting_commands">here</A> for more info</P> <P>Finally, I am not sure how the title of this post relates to the question - am I missing something?</P> Tue, 09 Apr 2013 13:57:07 GMT https://community.splunk.com/t5/Splunk-Search/Distinct-count-of-one-field-when-second-field-matches-string-200/m-p/87678#M22415 lguinn2 2013-04-09T13:57:07Z