Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Count of distinct events by multiple values?

Cuyose
Builder
‎04-30-2015 12:25 PM

This seems easy but for some reason I guess I don't know how to ask the question.

I want a table that looks like this: Where the reason rows are error messages, and the column is another value "location" and I want to get the count of.
reason1, countofA, countofB, countofC, etc.
reason2, countofA, countofB, countofC, etc.

My current stats count by reason, location pipes out a table like below, which I do not want.
reason1,A,countofA
reason1,B,countofB
reason2,A,countofA
etc

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Cuyose
Builder
‎04-30-2015 01:22 PM

I got it, xyseries
| stats count(error) AS numOf by location error
|xyseries error,location,numOf

View solution in original post

Reply
Solved! Jump to solution
Solution

Cuyose
Builder
‎04-30-2015 01:22 PM

I got it, xyseries
| stats count(error) AS numOf by location error
|xyseries error,location,numOf

Reply
Solved! Jump to solution

Flynt
Splunk Employee
Splunk Employee
‎04-30-2015 01:24 PM

Excellent! I see your data was not as I thought. I've upvoted your self answer!

Reply
Solved! Jump to solution

Cuyose
Builder
‎04-30-2015 01:30 PM

Thanks! I knew I had used that before, just got lost in the shuffle, had a brain fart!

0 Karma
Reply
Solved! Jump to solution

fdi01
Motivator
‎04-30-2015 12:56 PM

try like this:

...| stats count(*) as countof* by reason |
0 Karma
Reply
Solved! Jump to solution

Flynt
Splunk Employee
Splunk Employee
‎04-30-2015 01:00 PM

Unfortunately this will just give the full count of the MVfield and not the values IN the MVfield.

0 Karma
Reply
Solved! Jump to solution

Flynt
Splunk Employee
Splunk Employee
‎04-30-2015 12:47 PM

You might be able to get by with using mvexpand and chart

Here's a quick example using dummy values-

 |stats count|eval test="A,B,A"|eval reason="reason1"|makemv test delim=","|mvexpand test|chart count(test) by reason test
0 Karma
Reply
Solved! Jump to solution

Cuyose
Builder
‎04-30-2015 01:14 PM

I need to explain better. If i want to list the count of each http status code by location, the commas are just to delineate columns. each column is a location and the intersection of the error code row and the location column is the count of those error for that location.

error code,location1,location2,location3,location4,location{n}
400,23,45,67,89,
403,etc...
404
500

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...