https://community.splunk.com/t5/Splunk-Search/stats-on-the-presence-of-a-field/m-p/24024#M4363 <P>The best you can do given your requirement of not knowing the fields ahead of time is:</P> <P><CODE>... | stats count(*) | transpose</CODE></P> <P>This will give you a count of ALL fields present in the search. </P> <P>Hope this helps.</P> <P><CODE>&gt; please upvote and accept answer if you find it useful - thanks!</CODE></P> Tue, 29 Nov 2011 20:47:05 GMT _d_ 2011-11-29T20:47:05Z https://community.splunk.com/t5/Splunk-Search/stats-on-the-presence-of-a-field/m-p/24021#M4360 <P>Hi,<BR /> I have a set of splunk entries where it can be one of several pattern of fields. So for example:</P> <P>2011-01-01T12:00:00.000-0800 a=1 b=2<BR /> 2011-01-01T12:00:00.001-0800 a=1 b=2<BR /> 2011-01-01T12:00:00.002-0800 c=10<BR /> 2011-01-01T12:00:00.003-0800 c=10<BR /> 2011-01-01T12:00:00.004-0800 c=10<BR /> 2011-01-01T12:00:00.005-0800 d=99</P> <P>So with the above data I want to get the count of the presence of a field. So the output of such a query would be something like this:</P> <P>fields | count<BR /> a | 2<BR /> b | 2<BR /> c | 3<BR /> d | 1</P> <P>Can anyone suggest a query for me to use to do this?</P> Tue, 29 Nov 2011 00:58:53 GMT https://community.splunk.com/t5/Splunk-Search/stats-on-the-presence-of-a-field/m-p/24021#M4360 Samslara 2011-11-29T00:58:53Z https://community.splunk.com/t5/Splunk-Search/stats-on-the-presence-of-a-field/m-p/24022#M4361 <P>Is it important to have the results in columns rather than rows?</P> <P>You could do</P> <PRE><CODE>... | stats count(a),count(b),count(c),count(d) </CODE></PRE> <P>which will give you a count of each field in a new column. If you want it in rows instead, as in your example, use <CODE>transpose</CODE>:</P> <PRE><CODE>... | stats count(a),count(b),count(c),count(d) | transpose </CODE></PRE> Tue, 29 Nov 2011 07:54:29 GMT https://community.splunk.com/t5/Splunk-Search/stats-on-the-presence-of-a-field/m-p/24022#M4361 Ayn 2011-11-29T07:54:29Z https://community.splunk.com/t5/Splunk-Search/stats-on-the-presence-of-a-field/m-p/24023#M4362 <P>This would work if I knew all the fields that would be present, but suppose I didn't know. Is there a way to do this?</P> Tue, 29 Nov 2011 20:21:17 GMT https://community.splunk.com/t5/Splunk-Search/stats-on-the-presence-of-a-field/m-p/24023#M4362 Samslara 2011-11-29T20:21:17Z https://community.splunk.com/t5/Splunk-Search/stats-on-the-presence-of-a-field/m-p/24024#M4363 <P>The best you can do given your requirement of not knowing the fields ahead of time is:</P> <P><CODE>... | stats count(*) | transpose</CODE></P> <P>This will give you a count of ALL fields present in the search. </P> <P>Hope this helps.</P> <P><CODE>&gt; please upvote and accept answer if you find it useful - thanks!</CODE></P> Tue, 29 Nov 2011 20:47:05 GMT https://community.splunk.com/t5/Splunk-Search/stats-on-the-presence-of-a-field/m-p/24024#M4363 _d_ 2011-11-29T20:47:05Z https://community.splunk.com/t5/Splunk-Search/stats-on-the-presence-of-a-field/m-p/24025#M4364 <P>Just use wildcards:</P> <PRE><CODE>... | stats count(*) </CODE></PRE> Tue, 29 Nov 2011 21:05:26 GMT https://community.splunk.com/t5/Splunk-Search/stats-on-the-presence-of-a-field/m-p/24025#M4364 Ayn 2011-11-29T21:05:26Z https://community.splunk.com/t5/Splunk-Search/stats-on-the-presence-of-a-field/m-p/24026#M4365 <P>Thanks, this was very helpful.</P> Tue, 29 Nov 2011 21:45:15 GMT https://community.splunk.com/t5/Splunk-Search/stats-on-the-presence-of-a-field/m-p/24026#M4365 Samslara 2011-11-29T21:45:15Z https://community.splunk.com/t5/Splunk-Search/stats-on-the-presence-of-a-field/m-p/24027#M4366 <P>Thank you.</P> Tue, 29 Nov 2011 21:48:30 GMT https://community.splunk.com/t5/Splunk-Search/stats-on-the-presence-of-a-field/m-p/24027#M4366 Samslara 2011-11-29T21:48:30Z https://community.splunk.com/t5/Splunk-Search/stats-on-the-presence-of-a-field/m-p/24028#M4367 <P>One way I was going about it was to use rex:</P> <P>... | rex field=_raw "\t(?<MYFIELDS>[^=]+)=\d+\t" max_match=10 | stats count by myFields</MYFIELDS></P> <P>Though this isn't as general as the accepted answer nor probably as fast.</P> Mon, 28 Sep 2020 10:09:50 GMT https://community.splunk.com/t5/Splunk-Search/stats-on-the-presence-of-a-field/m-p/24028#M4367 Samslara 2020-09-28T10:09:50Z