Solved: summary indexing with sisat distinct count without...

pshumate · ‎08-08-2012

... |sistats dc(clientip) by host

Returns :
host psrsvd_ct_clientip psrsvd_gc psrsvd_v psrsvd_vm_clientip

Where psrsvd_vm_clientip is the list of the unique ip's. All i need it the count not the detail in the summary index. What is the best way just get the dc(clientip)?

lguinn2 · ‎08-08-2012

The sistats distinct count function MUST keep a list of unique ips, as the sistats command is designed to put information into a summary index. When computing the "final" distinct count from a summary index, splunk has to be able to dedup the counts from all the time periods.

When you put data into a summary index, use sistats.

When you get data from a summary index, use stats.

index=summary search_name=the_search_that_put_the_data_in | stats dc(clientip) by host

should do what you want.

View solution in original post

lguinn2 · ‎08-08-2012

The sistats distinct count function MUST keep a list of unique ips, as the sistats command is designed to put information into a summary index. When computing the "final" distinct count from a summary index, splunk has to be able to dedup the counts from all the time periods.

When you put data into a summary index, use sistats.

When you get data from a summary index, use stats.

index=summary search_name=the_search_that_put_the_data_in | stats dc(clientip) by host

should do what you want.

splunkreal · ‎10-20-2023

Thanks for the solution!

We can use | sistats values(myfield) as myfield to populate summary index.

* If this helps, please upvote or accept solution if it solved *

pshumate · ‎08-09-2012

same thing I came up with. Thanks for the help.

summary indexing with sisat distinct count without the list of what is counted

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...