Splunk Search
Highlighted

Can you help us with a basic search that uses the stats command?

Contributor

Hi,

With the code below, I count the event number by source for a sourcetype.

But different sources use the same sourcetype.

So I have the sourcetype field reproduced many times.

I just want to count the events number by source for only one sourcetype.

index=x| stats count by sourcetype, source

I tried this but it doesn't do what I want

index="x" sourcetype=* host=* 
| stats values(source) by sourcetype| stats count by sourcetype, source

could you help me please?

Tags (2)
0 Karma
Highlighted

Re: Can you help us with a basic search that uses the stats command?

SplunkTrust
SplunkTrust

@jip31

Are you looking for these?

| chart count over sourcetype by source

OR

| chart count over source by sourcetype
0 Karma
Highlighted

Re: Can you help us with a basic search that uses the stats command?

Contributor

not exactly
I need to have a table with a column with the sourcetype name, a column linked to the first column in order to have all the sources for a specific sourcetype and a last column with the count of events by source....

0 Karma
Highlighted

Re: Can you help us with a basic search that uses the stats command?

Communicator

Could you provide an example, screenshot or some events and try to describe the desired outcome with their values?
For me your SPL is answering your question already.

0 Karma
Highlighted

Re: Can you help us with a basic search that uses the stats command?

SplunkTrust
SplunkTrust

@jip31 ,

If you want to group all sources by sourcetype, try this

index="your index"
| stats count by sourcetype,source
| stats values(source) as source,values(count) as count by sourcetype

Updated
In the above result, source and count might not have a 1-1 mapping since the values will sort them lexicographically .
Try instead

    | stats count by source,sourcetype
    | eval combined=source." | ".count
    | stats values(combined) as source by sourcetype
0 Karma
Highlighted

Re: Can you help us with a basic search that uses the stats command?

Contributor

perfect renjith many thanks

0 Karma
Highlighted

Re: Can you help us with a basic search that uses the stats command?

SplunkTrust
SplunkTrust

@jip31 , What @FrankVl mentioned is absolutely right. You might not have a 1-1 mapping between source & count. If you need this try something like this

| stats count by source,sourcetype
| eval combined=source." | ".count
| stats values(combined) as source by sourcetype

I will update the answer and would "unaccept" it.

0 Karma
Highlighted

Re: Can you help us with a basic search that uses the stats command?

Ultra Champion

Basically his requirements are conflicting. He wants count by sourcetype,source, but without repeating the sourcetype value each time.

Now, you can of course pull tricks like combining source and count in 1 field. Or something like this:

| stats count by source,sourcetype
| stats list(source) as source list(count) as count by sourcetype

(list keeps the original order)

But I'm quite curious why a simple | stats count by source,sourcetype wouldn't be OK.

0 Karma
Highlighted

Re: Can you help us with a basic search that uses the stats command?

Ultra Champion

Note that this way you have no way of telling which count belongs to which source, as values() does a lexicographical sort.

Highlighted

Re: Can you help us with a basic search that uses the stats command?

Explorer

index=yourindex sourcetype="sourcetype you are looking for " | stats count by source

another way

index=yourindex | stats count by source | search sourcetype="sourcetype you are looking for "

0 Karma