Splunk Enterprise

How to calculate the number of distinct incidents in each jurisdiction?

scottmkirkland
Loves-to-Learn Lots

I have a dataset with incident numbers and their associated Jurisdiction. It is possible that a incident will be listed in multiple jurisdictions. 

I don't want to dedup(incident_number) globally.

I need to count by jurisdiction, but the dedup or distinct count needs to be within each Jurisdiction. 

Any suggestions?

Labels (1)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

Use the by clause in stats command, e.g.

| stats count by jurisdiction

OR

| stats dc(incident_number) by jurisdiction
0 Karma
Get Updates on the Splunk Community!

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...