Solved: How to achieve stats count on multiple fields?

mistydennis · ‎02-09-2023

Hi all - this one is hurting my brain. I need to pull two distinct numbers from my events: one with a total count of assets, and one with a total count of assets that contain a vulnerability.

What I think it should look like is not working:

| (stats dc(AssetNames) AS TotalExternalAssets, (dc(Asset_Names) AS TotalExposedAssets | where vulnerability!="missing"))

How do I get these two counts out of my events?

bowesmana · ‎02-09-2023

That command is not a valid Splunk command

What you probably want is

| stats dc(AssetNames) AS TotalExternalAssets
        dc(eval(if(vulnerability!="missing", AssetNames, null()))) AS TotalExposedAssets

I assume the AssetNames field is the same field (not Asset_Names in the second case)

This takes the count of unique assets (first dc()) and the second says

If the vulnerability is not missing, then count AssetNames, otherwise count NULL (this counts as 0)

View solution in original post

bowesmana · ‎02-09-2023

That command is not a valid Splunk command

What you probably want is

| stats dc(AssetNames) AS TotalExternalAssets
        dc(eval(if(vulnerability!="missing", AssetNames, null()))) AS TotalExposedAssets

I assume the AssetNames field is the same field (not Asset_Names in the second case)

This takes the count of unique assets (first dc()) and the second says

If the vulnerability is not missing, then count AssetNames, otherwise count NULL (this counts as 0)

How to achieve stats count on multiple fields?

other

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability