Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Count by values for two fields like a table

nkotha
New Member
‎11-06-2015 01:22 PM

I have events coming with two distinct key say "Key1" and "Key2". Expected value for these keys are 1 to 3. I want a table where I can see the count of each key for every possible value like...

Value | count(Key1) | count( Key2)
1 | 10 | 3
2 | 1 | 15
3 | 4 | 6

tried "| stats count(key1), count(key2) by value" but that doesn't work

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎11-07-2015 01:53 PM

This was another fun one! Like this (If confused, look at the results without each of the last 2 lines):

...  | multireport
        [ stats count AS "count(Key1)" BY Key1 ]
        [ stats count AS "count(Key2)" BY Key2 ]
     | eval Value=coalesce(Key1, Key2)
     | fields - Key* | stats first(*) AS * BY Value

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎11-07-2015 01:53 PM

This was another fun one! Like this (If confused, look at the results without each of the last 2 lines):

...  | multireport
        [ stats count AS "count(Key1)" BY Key1 ]
        [ stats count AS "count(Key2)" BY Key2 ]
     | eval Value=coalesce(Key1, Key2)
     | fields - Key* | stats first(*) AS * BY Value
0 Karma
Reply
Solved! Jump to solution

Richfez
SplunkTrust
SplunkTrust
‎11-07-2015 08:59 AM

What does the example you provide | stats count(key1), count(key2) by value do that's incorrect? Can you provide a sample of 5 or 10 events and the actual results/totals you'd get using those 5 or 10 events?

Thanks - that would go a long ways toward helping everyone understand the issue, which would go a long ways toward getting some possible answers.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...