Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to calculate the number of distinct incidents in each jurisdiction?

scottmkirkland
Engager
‎01-24-2023 03:44 PM

I have a dataset with incident numbers and their associated Jurisdiction. It is possible that a incident will be listed in multiple jurisdictions. 

I don't want to dedup(incident_number) globally.

I need to count by jurisdiction, but the dedup or distinct count needs to be within each Jurisdiction. 

Any suggestions?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎01-24-2023 04:06 PM

Use the by clause in stats command, e.g.

| stats count by jurisdiction

OR

| stats dc(incident_number) by jurisdiction

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎01-24-2023 04:06 PM

Use the by clause in stats command, e.g.

| stats count by jurisdiction

OR

| stats dc(incident_number) by jurisdiction
Reply
Get Updates on the Splunk Community!

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Attention everyone! We have exciting news to share! We are recruiting new members for the Mission Possible: ...

Unify Your SecOps with Splunk Mission Control

In today’s post, I'm excited to share some recent Splunk Mission Control innovations. With Splunk Mission ...

Data Preparation Made Easy: SPL2 for Edge Processor

By now, you may have heard the exciting news that Edge Processor, the easy-to-use Splunk data preparation tool ...