Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to display two single value total counts based on a single field?

jdepp
Path Finder
‎11-21-2016 09:56 AM

I am trying to display, in a panel, 2 single value total counts of messages based on a single field. The first should be the total messages while the second should the number of duplicates based on a single field.
For example, I thought the following would work:

source="/message.stats/tcp/10007"| stats count by id as Total | where count>1

This would display the total count of messages where there are duplicate values for the Id field. 

source="/message.stats/tcp/10007"| stats count by id as Total

This should display the total count of messages. I am not sure how to combine the two. If not possible, I could just create 2 separate panels.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎11-21-2016 10:22 AM

Try this

source="/message.stats/tcp/10007" | eventstats count as total | eventstats count as duplicates by id | stats count(eval(duplicates>1)) as no_duplicates values(total) as total | eval msg=no_duplicates." of ".total

You may want to change the count(eval(duplicates>1)) to sum(eval(duplicates>1))

View solution in original post

Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎11-21-2016 10:22 AM

Try this

source="/message.stats/tcp/10007" | eventstats count as total | eventstats count as duplicates by id | stats count(eval(duplicates>1)) as no_duplicates values(total) as total | eval msg=no_duplicates." of ".total

You may want to change the count(eval(duplicates>1)) to sum(eval(duplicates>1))

Reply
Solved! Jump to solution

jdepp
Path Finder
‎11-22-2016 10:35 AM

thanks a million; this worked for me

0 Karma
Reply
Solved! Jump to solution

cmerriman
Super Champion
‎11-21-2016 10:05 AM 
 source="/message.stats/tcp/10007"
|stats count by id 
|eval duplicateCount=if(count>1,count,null())
|addcoltotals
|eval singleValue=count+" total messages; "+duplicateCount+" total duplicate messages"
|search id="Total"
|fields singleValue

that should get you the total values for both the total and duplicates.
the stats is counting all events by id, then the eval only brings back the count if each id has more than one. then it's adding up the totals for each column and concatenating them together into a field called singleValue and only bringing back that value/field.

Reply
Solved! Jump to solution

jdepp
Path Finder
‎11-22-2016 10:35 AM

Appreciate the response; when with the first solution.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...