Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Count of distinct events by multiple values?

Cuyose
Builder
‎04-30-2015 12:25 PM

This seems easy but for some reason I guess I don't know how to ask the question.

I want a table that looks like this: Where the reason rows are error messages, and the column is another value "location" and I want to get the count of.
reason1, countofA, countofB, countofC, etc.
reason2, countofA, countofB, countofC, etc.

My current stats count by reason, location pipes out a table like below, which I do not want.
reason1,A,countofA
reason1,B,countofB
reason2,A,countofA
etc

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Cuyose
Builder
‎04-30-2015 01:22 PM

I got it, xyseries
| stats count(error) AS numOf by location error
|xyseries error,location,numOf

View solution in original post

Reply
Solved! Jump to solution
Solution

Cuyose
Builder
‎04-30-2015 01:22 PM

I got it, xyseries
| stats count(error) AS numOf by location error
|xyseries error,location,numOf

Reply
Solved! Jump to solution

Flynt
Splunk Employee
Splunk Employee
‎04-30-2015 01:24 PM

Excellent! I see your data was not as I thought. I've upvoted your self answer!

Reply
Solved! Jump to solution

Cuyose
Builder
‎04-30-2015 01:30 PM

Thanks! I knew I had used that before, just got lost in the shuffle, had a brain fart!

0 Karma
Reply
Solved! Jump to solution

fdi01
Motivator
‎04-30-2015 12:56 PM

try like this:

...| stats count(*) as countof* by reason |
0 Karma
Reply
Solved! Jump to solution

Flynt
Splunk Employee
Splunk Employee
‎04-30-2015 01:00 PM

Unfortunately this will just give the full count of the MVfield and not the values IN the MVfield.

0 Karma
Reply
Solved! Jump to solution

Flynt
Splunk Employee
Splunk Employee
‎04-30-2015 12:47 PM

You might be able to get by with using mvexpand and chart

Here's a quick example using dummy values-

 |stats count|eval test="A,B,A"|eval reason="reason1"|makemv test delim=","|mvexpand test|chart count(test) by reason test
0 Karma
Reply
Solved! Jump to solution

Cuyose
Builder
‎04-30-2015 01:14 PM

I need to explain better. If i want to list the count of each http status code by location, the commas are just to delineate columns. each column is a location and the intersection of the error code row and the location column is the count of those error for that location.

error code,location1,location2,location3,location4,location{n}
400,23,45,67,89,
403,etc...
404
500

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...