Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Count of distinct events by multiple values?

Cuyose
Builder
‎04-30-2015 12:25 PM

This seems easy but for some reason I guess I don't know how to ask the question.

I want a table that looks like this: Where the reason rows are error messages, and the column is another value "location" and I want to get the count of.
reason1, countofA, countofB, countofC, etc.
reason2, countofA, countofB, countofC, etc.

My current stats count by reason, location pipes out a table like below, which I do not want.
reason1,A,countofA
reason1,B,countofB
reason2,A,countofA
etc

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Cuyose
Builder
‎04-30-2015 01:22 PM

I got it, xyseries
| stats count(error) AS numOf by location error
|xyseries error,location,numOf

View solution in original post

Reply
Solved! Jump to solution
Solution

Cuyose
Builder
‎04-30-2015 01:22 PM

I got it, xyseries
| stats count(error) AS numOf by location error
|xyseries error,location,numOf

Reply
Solved! Jump to solution

Flynt
Splunk Employee
Splunk Employee
‎04-30-2015 01:24 PM

Excellent! I see your data was not as I thought. I've upvoted your self answer!

Reply
Solved! Jump to solution

Cuyose
Builder
‎04-30-2015 01:30 PM

Thanks! I knew I had used that before, just got lost in the shuffle, had a brain fart!

0 Karma
Reply
Solved! Jump to solution

fdi01
Motivator
‎04-30-2015 12:56 PM

try like this:

...| stats count(*) as countof* by reason |
0 Karma
Reply
Solved! Jump to solution

Flynt
Splunk Employee
Splunk Employee
‎04-30-2015 01:00 PM

Unfortunately this will just give the full count of the MVfield and not the values IN the MVfield.

0 Karma
Reply
Solved! Jump to solution

Flynt
Splunk Employee
Splunk Employee
‎04-30-2015 12:47 PM

You might be able to get by with using mvexpand and chart

Here's a quick example using dummy values-

 |stats count|eval test="A,B,A"|eval reason="reason1"|makemv test delim=","|mvexpand test|chart count(test) by reason test
0 Karma
Reply
Solved! Jump to solution

Cuyose
Builder
‎04-30-2015 01:14 PM

I need to explain better. If i want to list the count of each http status code by location, the commas are just to delineate columns. each column is a location and the intersection of the error code row and the location column is the count of those error for that location.

error code,location1,location2,location3,location4,location{n}
400,23,45,67,89,
403,etc...
404
500

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...