Splunk Search

Distinct count of multiple values from the same field

kamaleshwar
Explorer

I have some fields "Codes" "Count". In the "Codes" field i'll get multiple values and will count the values totally by using "dc(Codes) as Count". But i need the unique count of each code.

For Ex.

Codes        Count
123             10
111
222
333
444
555

The above is showing us as total count of values, but i need the unique count of each values like

Codes        Count
    123             5
    111             1
    222             1
    333             1
    444             1
    555             1

Please help on this. If you have any questions please post. Thanks in advance!!!

Tags (2)
0 Karma

kamaleshwar
Explorer

Actually the result should be like this.

ID                        Codes        Count
example1            123            5
                              111            1
                              222            1
                              333            1
                              444            1
                              555            1

Example2            668            3
                              554            1
                              666            1
0 Karma

javiergn
SplunkTrust
SplunkTrust

See my second answer below.
Please let me know if that's not exactly what you are looking for.

0 Karma

gyslainlatsa
Motivator

hi,
with this query, you have the answer

 your base search |stats dc(Codes) as Count_Codes by field

where field contains the values of the field codes

0 Karma

kamaleshwar
Explorer

Thanks for your response! This is not exactly i want.

0 Karma

Jeremiah
Motivator

Sounds like adding a by clause will give you what you need:

| stats count by code 
0 Karma

kamaleshwar
Explorer

this one won't help if we have multiple user using multiple codes. I've added the sample result above.

0 Karma

Jeremiah
Motivator

Ah ok, then try this one:

... | stats count by ID code | stats list(code) AS code list(count) AS count by ID

0 Karma

kamaleshwar
Explorer

Thanks for your response! Actually it's not working. It's simply showing a empty space.

0 Karma

javiergn
SplunkTrust
SplunkTrust

Hi,

Simply do:

yoursearch
| stats count by Codes

And it'll give you the output you are looking for.

javiergn
SplunkTrust
SplunkTrust

If there's an ID simply do it this way:

 yoursearch
| stats count by Codes, ID

If you want to display it exactly the way you mentioned above then this is probably closer:

yoursearch
| stats count by Codes, ID
| stats list(Codes) as Codes, list(count) as count by ID
0 Karma

kamaleshwar
Explorer

Thanks for your response! Actually it's not working. It's simply showing a empty space.

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...