Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Distinct count of multiple values from the same field

kamaleshwar
Explorer
‎03-10-2016 04:47 AM

I have some fields "Codes" "Count". In the "Codes" field i'll get multiple values and will count the values totally by using "dc(Codes) as Count". But i need the unique count of each code.

For Ex. 

Codes        Count
123             10
111
222
333
444
555

The above is showing us as total count of values, but i need the unique count of each values like 

Codes        Count
    123             5
    111             1
    222             1
    333             1
    444             1
    555             1

Please help on this. If you have any questions please post. Thanks in advance!!!

Tags (2)
0 Karma
Reply

kamaleshwar
Explorer
‎03-10-2016 05:09 AM

Actually the result should be like this.

ID                        Codes        Count
example1            123            5
                              111            1
                              222            1
                              333            1
                              444            1
                              555            1

Example2            668            3
                              554            1
                              666            1
0 Karma
Reply

javiergn
Super Champion
‎03-10-2016 05:29 AM

See my second answer below.
Please let me know if that's not exactly what you are looking for.

0 Karma
Reply

gyslainlatsa
Motivator
‎03-10-2016 05:05 AM

hi,
with this query, you have the answer

 your base search |stats dc(Codes) as Count_Codes by field

where field contains the values of the field codes

0 Karma
Reply

kamaleshwar
Explorer
‎03-10-2016 07:41 AM

Thanks for your response! This is not exactly i want.

0 Karma
Reply

Jeremiah
Motivator
‎03-10-2016 04:59 AM

Sounds like adding a by clause will give you what you need:

| stats count by code
0 Karma
Reply

kamaleshwar
Explorer
‎03-10-2016 05:12 AM

this one won't help if we have multiple user using multiple codes. I've added the sample result above.

0 Karma
Reply

Jeremiah
Motivator
‎03-10-2016 05:37 AM

Ah ok, then try this one:

... | stats count by ID code | stats list(code) AS code list(count) AS count by ID

0 Karma
Reply

kamaleshwar
Explorer
‎03-10-2016 07:40 AM

Thanks for your response! Actually it's not working. It's simply showing a empty space.

0 Karma
Reply

javiergn
Super Champion
‎03-10-2016 04:58 AM

Hi,

Simply do:

yoursearch
| stats count by Codes

And it'll give you the output you are looking for.

Reply

javiergn
Super Champion
‎03-10-2016 05:29 AM

If there's an ID simply do it this way:

 yoursearch
| stats count by Codes, ID

If you want to display it exactly the way you mentioned above then this is probably closer:

yoursearch
| stats count by Codes, ID
| stats list(Codes) as Codes, list(count) as count by ID
0 Karma
Reply

kamaleshwar
Explorer
‎03-10-2016 07:40 AM

Thanks for your response! Actually it's not working. It's simply showing a empty space.

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...
Top