Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to display two single value total counts based on a single field?

jdepp
Path Finder
‎11-21-2016 09:56 AM

I am trying to display, in a panel, 2 single value total counts of messages based on a single field. The first should be the total messages while the second should the number of duplicates based on a single field.
For example, I thought the following would work:

source="/message.stats/tcp/10007"| stats count by id as Total | where count>1

This would display the total count of messages where there are duplicate values for the Id field. 

source="/message.stats/tcp/10007"| stats count by id as Total

This should display the total count of messages. I am not sure how to combine the two. If not possible, I could just create 2 separate panels.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎11-21-2016 10:22 AM

Try this

source="/message.stats/tcp/10007" | eventstats count as total | eventstats count as duplicates by id | stats count(eval(duplicates>1)) as no_duplicates values(total) as total | eval msg=no_duplicates." of ".total

You may want to change the count(eval(duplicates>1)) to sum(eval(duplicates>1))

View solution in original post

Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎11-21-2016 10:22 AM

Try this

source="/message.stats/tcp/10007" | eventstats count as total | eventstats count as duplicates by id | stats count(eval(duplicates>1)) as no_duplicates values(total) as total | eval msg=no_duplicates." of ".total

You may want to change the count(eval(duplicates>1)) to sum(eval(duplicates>1))

Reply
Solved! Jump to solution

jdepp
Path Finder
‎11-22-2016 10:35 AM

thanks a million; this worked for me

0 Karma
Reply
Solved! Jump to solution

cmerriman
Super Champion
‎11-21-2016 10:05 AM 
 source="/message.stats/tcp/10007"
|stats count by id 
|eval duplicateCount=if(count>1,count,null())
|addcoltotals
|eval singleValue=count+" total messages; "+duplicateCount+" total duplicate messages"
|search id="Total"
|fields singleValue

that should get you the total values for both the total and duplicates.
the stats is counting all events by id, then the eval only brings back the count if each id has more than one. then it's adding up the totals for each column and concatenating them together into a field called singleValue and only bringing back that value/field.

Reply
Solved! Jump to solution

jdepp
Path Finder
‎11-22-2016 10:35 AM

Appreciate the response; when with the first solution.

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...