Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Distinct count of multiple values from the same field

kamaleshwar
Explorer
‎03-10-2016 04:47 AM

I have some fields "Codes" "Count". In the "Codes" field i'll get multiple values and will count the values totally by using "dc(Codes) as Count". But i need the unique count of each code.

For Ex. 

Codes        Count
123             10
111
222
333
444
555

The above is showing us as total count of values, but i need the unique count of each values like 

Codes        Count
    123             5
    111             1
    222             1
    333             1
    444             1
    555             1

Please help on this. If you have any questions please post. Thanks in advance!!!

Tags (2)
0 Karma
Reply

kamaleshwar
Explorer
‎03-10-2016 05:09 AM

Actually the result should be like this.

ID                        Codes        Count
example1            123            5
                              111            1
                              222            1
                              333            1
                              444            1
                              555            1

Example2            668            3
                              554            1
                              666            1
0 Karma
Reply

javiergn
Super Champion
‎03-10-2016 05:29 AM

See my second answer below.
Please let me know if that's not exactly what you are looking for.

0 Karma
Reply

gyslainlatsa
Motivator
‎03-10-2016 05:05 AM

hi,
with this query, you have the answer

 your base search |stats dc(Codes) as Count_Codes by field

where field contains the values of the field codes

0 Karma
Reply

kamaleshwar
Explorer
‎03-10-2016 07:41 AM

Thanks for your response! This is not exactly i want.

0 Karma
Reply

Jeremiah
Motivator
‎03-10-2016 04:59 AM

Sounds like adding a by clause will give you what you need:

| stats count by code
0 Karma
Reply

kamaleshwar
Explorer
‎03-10-2016 05:12 AM

this one won't help if we have multiple user using multiple codes. I've added the sample result above.

0 Karma
Reply

Jeremiah
Motivator
‎03-10-2016 05:37 AM

Ah ok, then try this one:

... | stats count by ID code | stats list(code) AS code list(count) AS count by ID

0 Karma
Reply

kamaleshwar
Explorer
‎03-10-2016 07:40 AM

Thanks for your response! Actually it's not working. It's simply showing a empty space.

0 Karma
Reply

javiergn
Super Champion
‎03-10-2016 04:58 AM

Hi,

Simply do:

yoursearch
| stats count by Codes

And it'll give you the output you are looking for.

Reply

javiergn
Super Champion
‎03-10-2016 05:29 AM

If there's an ID simply do it this way:

 yoursearch
| stats count by Codes, ID

If you want to display it exactly the way you mentioned above then this is probably closer:

yoursearch
| stats count by Codes, ID
| stats list(Codes) as Codes, list(count) as count by ID
0 Karma
Reply

kamaleshwar
Explorer
‎03-10-2016 07:40 AM

Thanks for your response! Actually it's not working. It's simply showing a empty space.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...