Solved: count/ subtotal for stats values.

shivarpith · ‎03-21-2016

Hi,

We have a query that brings up the sourcetypes in correlated search using "tstats" Example: tsats datamodel xyz values(sourcetype) as sourcetype by host

result

sourcetype host

sourcetype 1 ABCDtest
sourcetype 2
.
.
.
.
sourcetype 1 ABCDtest

task here is i need tehe events where sourcetypes listed are more than one for a host and show up only those

Requirement

sourcetype host

sourcetype 1 ABCDtest
sourcetype 2

it should be something like addtotals or sum of sourcetype and like where sourcetype>1

Thanks in advance.

martin_mueller · ‎03-21-2016

Add dc(sourcetype) as dc to your tstats, and add | where dc > 1 to your search pipeline.

View solution in original post

martin_mueller · ‎03-21-2016

Add dc(sourcetype) as dc to your tstats, and add | where dc > 1 to your search pipeline.

shivarpith · ‎03-21-2016

Thanks that works 🙂

count/ subtotal for stats values.

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026

Join the Conversation