Issue with stats count with multiple fields

a238574 · ‎07-25-2019

I am using the stats count function to get a count of unique events. as part of the list I am want to show additional fields in the Statistics output. When I run my fairly simple query and use |stats count by field1 the numbers look correct. When I use | stats count by field1,field2,field3,field4 The count seems to increase more for each field I add but the strange thing is that the number of Statistics in the results does not change. For my real query I get 990 events and 142 entries on the Statistics tab for every search no matter how many fields I use in the stats count but the count for each statistic in the list grows every time I add a field.

a238574 · ‎07-26-2019

Did some more testing trying to figure out why the count was increasing and my results got worse. I made a simple search looking to produce a set of results where the field I count by should equal the number of events...

index=x accountid=123456789 | stats count by accountid

The search returns 936 events but the count is 1248.... how does it get to 1248 from 936 events

vnravikumar · ‎07-25-2019

Hi

Try like

|stats count,  list(field2)  as field2,list(field3) as field3,list(field4) as field4 by field1

a238574 · ‎07-26-2019

That produces a multi line output for each unique event

Issue with stats count with multiple fields

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!