Splunk Search

Distinct Count of Field1 and field2

heamik
Engager

I am trying to get a distinct count of tacking id from all of our production indexes. The issue I am running into is that for internal indexes my field of interest is named "trackingid" and for external indexes the field is named "trackingId". 

I have tried several things and can only get values for either internal or external, and or both in separate columns. I cannot get both fields renamed as "tid". Which would then be split by region based on host.

Labels (4)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| eval trackingid=coalesce(trackingid,trackingId)

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| eval trackingid=coalesce(trackingid,trackingId)
0 Karma

heamik
Engager

Thank you so much!!! That solved the problem perfectly!

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...