topic Help with stats for troubleshooting different result sets in Splunk Search https://community.splunk.com/t5/Splunk-Search/Help-with-stats-for-troubleshooting-different-result-sets/m-p/87852#M22456 <P>I have a table with the following fields:</P> <P>table qualys_id,exploit_cve_id,exploit_name,exploit_source,exploit_url</P> <P>Doing a dedup on exploit_cve_id,exploit_name and exploit_cve_id,exploit_url yields different results. I'm guessing that there are some data integrity issues. I would like to view a table with a count of both the exploit_name and the exploit_url appended to each result so I can sort them and try and figure out where the differences are.</P> <P>So, the table would ideally be:</P> <P>table qualys_id,exploit_cve_id,exploit_name,exploit_source,exploit_url,name_count,url_count</P> <P>Is this possible?</P> <P>Thx.</P> <P>Craig</P> Mon, 28 Sep 2020 12:00:37 GMT responsys_cm 2020-09-28T12:00:37Z Help with stats for troubleshooting different result sets https://community.splunk.com/t5/Splunk-Search/Help-with-stats-for-troubleshooting-different-result-sets/m-p/87852#M22456 <P>I have a table with the following fields:</P> <P>table qualys_id,exploit_cve_id,exploit_name,exploit_source,exploit_url</P> <P>Doing a dedup on exploit_cve_id,exploit_name and exploit_cve_id,exploit_url yields different results. I'm guessing that there are some data integrity issues. I would like to view a table with a count of both the exploit_name and the exploit_url appended to each result so I can sort them and try and figure out where the differences are.</P> <P>So, the table would ideally be:</P> <P>table qualys_id,exploit_cve_id,exploit_name,exploit_source,exploit_url,name_count,url_count</P> <P>Is this possible?</P> <P>Thx.</P> <P>Craig</P> Mon, 28 Sep 2020 12:00:37 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-stats-for-troubleshooting-different-result-sets/m-p/87852#M22456 responsys_cm 2020-09-28T12:00:37Z Re: Help with stats for troubleshooting different result sets https://community.splunk.com/t5/Splunk-Search/Help-with-stats-for-troubleshooting-different-result-sets/m-p/87853#M22457 <P>I think so, but there are different ways to approach it. This search tries to count everything cross-tabulated with everything else. It will show you the syntax, but it may not really help with your problem.</P> <PRE><CODE>yoursearchhere | stats count(exploit_url) as exploit_url_count count(exploit_name) as exploit_name_count dc(exploit_url) as exploit_url_unique dc(exploit_name) as exploit_name_unique by qualys_id exploit_cve_id exploit_name exploit_source exploit_url </CODE></PRE> <P>The count(exploit...) functions count the number of events, while the dc(exploit...) functions count the number of unique values of the field.<BR /><BR /> The fields following the "by" are the fields that are used to break out the subtotals.<BR /><BR /> I just wonder if any of the counts will be greater than one, given the breakout.</P> <P>Maybe one of these searches would be more useful to find weirdness:</P> <PRE><CODE>yoursearchhere | stats count by by qualys_id exploit_cve_id exploit_name exploit_source | where count &gt; 1 </CODE></PRE> <P>would show you all the ids that probably are associated with more than one exploit_url.</P> <PRE><CODE>yoursearchhere | stats count by by qualys_id exploit_cve_id exploit_url exploit_source | where count &gt; 1 </CODE></PRE> <P>would show you all the ids that probably are associated with more than one exploit_name. And so forth.</P> Mon, 02 Jul 2012 22:44:01 GMT https://community.splunk.com/t5/Splunk-Search/Help-with-stats-for-troubleshooting-different-result-sets/m-p/87853#M22457 lguinn2 2012-07-02T22:44:01Z