Reporting

How to achieve stats count on multiple fields?

mistydennis
Communicator

Hi all - this one is hurting my brain. I need to pull two distinct numbers from my events: one with a total count of assets, and one with a total count of assets that contain a vulnerability.

What I think it should look like is not working:

 

 

| (stats dc(AssetNames) AS TotalExternalAssets, (dc(Asset_Names) AS TotalExposedAssets | where vulnerability!="missing"))

 

 

 

How do I get these two counts out of my events?

0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

That command is not a valid Splunk command

What you probably want is

| stats dc(AssetNames) AS TotalExternalAssets
        dc(eval(if(vulnerability!="missing", AssetNames, null()))) AS TotalExposedAssets

I assume the AssetNames field is the same field (not Asset_Names in the second case)

This takes the count of unique assets (first dc()) and the second says 

  • If the vulnerability is not missing, then count AssetNames, otherwise count NULL (this counts as 0)

 

View solution in original post

0 Karma

bowesmana
SplunkTrust
SplunkTrust

That command is not a valid Splunk command

What you probably want is

| stats dc(AssetNames) AS TotalExternalAssets
        dc(eval(if(vulnerability!="missing", AssetNames, null()))) AS TotalExposedAssets

I assume the AssetNames field is the same field (not Asset_Names in the second case)

This takes the count of unique assets (first dc()) and the second says 

  • If the vulnerability is not missing, then count AssetNames, otherwise count NULL (this counts as 0)

 

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...