Count the number of different value of a field, an...

zonglin123 · ‎02-08-2021

I have some domain like this:

domain |
A |
B |
C |
D |
......

One domain can be called in one request, now I want to know what is the average request number per minute for a domain (no matter what domain is). So I split it into three steps:
1) get the total request number per minute
2) get the number of domains been called per minute
3) avg = total request number per minute / number of domain per minute

I have got the result of the first step by:
```
index="whatever" source="sourceurl"
| bin _time span=1m
| stats count as requestsPerMin by _time
```

However, I don't know how to get the number of domains that been called. For example, in a minute, domain A has been called twice, domain B has been called once, so the number of domains that been called should be two. But I don't know which query can get this result.

I appreciate it if someone can help, sorry if it is duplicated.

richgalloway · ‎02-08-2021

Use the distinct_count (dc) function instead of count in stats.

---
If this reply helps you, Karma would be appreciated.

bowesmana · ‎02-08-2021

@zonglin123

| stats count as requestsPerMin dc(domain) as domains by _time

dc=distinct count

Count the number of different value of a field, and get the average per minute

stats

Index This | Forward, I’m heavy; backward, I’m not. What am I?

A Guide To Cloud Migration Success

Join Us for Splunk University and Get Your Bootcamp Game On!