Dashboards & Visualizations
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to display two single value total counts based on a single field?

jdepp
Path Finder
‎11-21-2016 09:56 AM

I am trying to display, in a panel, 2 single value total counts of messages based on a single field. The first should be the total messages while the second should the number of duplicates based on a single field.
For example, I thought the following would work:

source="/message.stats/tcp/10007"| stats count by id as Total | where count>1

This would display the total count of messages where there are duplicate values for the Id field. 

source="/message.stats/tcp/10007"| stats count by id as Total

This should display the total count of messages. I am not sure how to combine the two. If not possible, I could just create 2 separate panels.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎11-21-2016 10:22 AM

Try this

source="/message.stats/tcp/10007" | eventstats count as total | eventstats count as duplicates by id | stats count(eval(duplicates>1)) as no_duplicates values(total) as total | eval msg=no_duplicates." of ".total

You may want to change the count(eval(duplicates>1)) to sum(eval(duplicates>1))

View solution in original post

Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎11-21-2016 10:22 AM

Try this

source="/message.stats/tcp/10007" | eventstats count as total | eventstats count as duplicates by id | stats count(eval(duplicates>1)) as no_duplicates values(total) as total | eval msg=no_duplicates." of ".total

You may want to change the count(eval(duplicates>1)) to sum(eval(duplicates>1))

Reply
Solved! Jump to solution

jdepp
Path Finder
‎11-22-2016 10:35 AM

thanks a million; this worked for me

0 Karma
Reply
Solved! Jump to solution

cmerriman
Super Champion
‎11-21-2016 10:05 AM 
 source="/message.stats/tcp/10007"
|stats count by id 
|eval duplicateCount=if(count>1,count,null())
|addcoltotals
|eval singleValue=count+" total messages; "+duplicateCount+" total duplicate messages"
|search id="Total"
|fields singleValue

that should get you the total values for both the total and duplicates.
the stats is counting all events by id, then the eval only brings back the count if each id has more than one. then it's adding up the totals for each column and concatenating them together into a field called singleValue and only bringing back that value/field.

Reply
Solved! Jump to solution

jdepp
Path Finder
‎11-22-2016 10:35 AM

Appreciate the response; when with the first solution.

0 Karma
Reply
Get Updates on the Splunk Community!

Best Strategies to Optimize Observability Costs

 Join us on Tuesday, May 6, 2025, at 11 AM PDT / 2 PM EDT for an insightful session on optimizing ...

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...
Top