Solved: How do you count the number of unique values in a ...

russell120 · ‎11-06-2018

Hi,

How do I search through a field like field_a for its unique values and then return the counts of each value in a new table?
example.csv

field_a
purple
purple
purple
gold
gold
black

How do I return a table that looks like this:

newField  count
purple      3
gold        2
black       1

In reality I have hundreds of values so the query needs to be able to find all unique values, not just "purple", "gold", and "black".

Thank you.

sudosplunk · ‎11-06-2018

Give this a try your_base_search | top limit=0 field_a | fields field_a count

top command, can be used to display the most common values of a field, along with their count and percentage.
fields command, keeps fields which you specify, in the output.

View solution in original post

sxddhxrthx · ‎12-19-2018

This can be achieved by using a simple stats count by command

your base search | stats count by field_a

sudosplunk · ‎11-06-2018

Give this a try your_base_search | top limit=0 field_a | fields field_a count

top command, can be used to display the most common values of a field, along with their count and percentage.
fields command, keeps fields which you specify, in the output.

russell120 · ‎11-06-2018

I completely forgot about top. This works, thanks!

How do you count the number of unique values in a field to return in a new table?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies