Archive

Issue with stats count with multiple fields

Path Finder

I am using the stats count function to get a count of unique events. as part of the list I am want to show additional fields in the Statistics output. When I run my fairly simple query and use |stats count by field1 the numbers look correct. When I use | stats count by field1,field2,field3,field4 The count seems to increase more for each field I add but the strange thing is that the number of Statistics in the results does not change. For my real query I get 990 events and 142 entries on the Statistics tab for every search no matter how many fields I use in the stats count but the count for each statistic in the list grows every time I add a field.

Tags (1)
0 Karma

Path Finder

Did some more testing trying to figure out why the count was increasing and my results got worse. I made a simple search looking to produce a set of results where the field I count by should equal the number of events...

index=x accountid=123456789 | stats count by accountid

The search returns 936 events but the count is 1248.... how does it get to 1248 from 936 events

0 Karma

Champion

Hi

Try like

|stats count,  list(field2)  as field2,list(field3) as field3,list(field4) as field4 by field1 
0 Karma

Path Finder

That produces a multi line output for each unique event

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!