Solved: Can you help us with a basic search that uses the ... - Page 2

jip31 · ‎03-05-2019

Hi,

With the code below, I count the event number by source for a sourcetype.

But different sources use the same sourcetype.

So I have the sourcetype field reproduced many times.

I just want to count the events number by source for only one sourcetype.

index=x| stats count by sourcetype, source

I tried this but it doesn't do what I want

index="x" sourcetype=* host=* 
| stats values(source) by sourcetype| stats count by sourcetype, source

could you help me please?

FrankVl · ‎03-05-2019

"I need to have a table with a column with the sourcetype name, a column linked to the first column in order to have all the sources for a specific sourcetype and a last column with the count of events by source...."

Your original attempt was close, but you need to combine both into 1 stats command, like this:

index="x"
| stats count values(source) by sourcetype

Edit: Just realized I read your requirement wrong. You need the count by source, not by sourcetype, so above would not really work. But your requirements are then conflicting. You want the count by sourcetype,source, but for some reason have a problem with repeating the sourcetype value for each related source.

This should do the trick:

 | stats count by source,sourcetype
 | stats list(source) as source list(count) as count by sourcetype

View solution in original post

Can you help us with a basic search that uses the stats command?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life