Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Distinct count of multiple values from the same field

kamaleshwar
Explorer
‎03-10-2016 04:47 AM

I have some fields "Codes" "Count". In the "Codes" field i'll get multiple values and will count the values totally by using "dc(Codes) as Count". But i need the unique count of each code.

For Ex. 

Codes        Count
123             10
111
222
333
444
555

The above is showing us as total count of values, but i need the unique count of each values like 

Codes        Count
    123             5
    111             1
    222             1
    333             1
    444             1
    555             1

Please help on this. If you have any questions please post. Thanks in advance!!!

Tags (2)
0 Karma
Reply

kamaleshwar
Explorer
‎03-10-2016 05:09 AM

Actually the result should be like this.

ID                        Codes        Count
example1            123            5
                              111            1
                              222            1
                              333            1
                              444            1
                              555            1

Example2            668            3
                              554            1
                              666            1
0 Karma
Reply

javiergn
Super Champion
‎03-10-2016 05:29 AM

See my second answer below.
Please let me know if that's not exactly what you are looking for.

0 Karma
Reply

gyslainlatsa
Motivator
‎03-10-2016 05:05 AM

hi,
with this query, you have the answer

 your base search |stats dc(Codes) as Count_Codes by field

where field contains the values of the field codes

0 Karma
Reply

kamaleshwar
Explorer
‎03-10-2016 07:41 AM

Thanks for your response! This is not exactly i want.

0 Karma
Reply

Jeremiah
Motivator
‎03-10-2016 04:59 AM

Sounds like adding a by clause will give you what you need:

| stats count by code
0 Karma
Reply

kamaleshwar
Explorer
‎03-10-2016 05:12 AM

this one won't help if we have multiple user using multiple codes. I've added the sample result above.

0 Karma
Reply

Jeremiah
Motivator
‎03-10-2016 05:37 AM

Ah ok, then try this one:

... | stats count by ID code | stats list(code) AS code list(count) AS count by ID

0 Karma
Reply

kamaleshwar
Explorer
‎03-10-2016 07:40 AM

Thanks for your response! Actually it's not working. It's simply showing a empty space.

0 Karma
Reply

javiergn
Super Champion
‎03-10-2016 04:58 AM

Hi,

Simply do:

yoursearch
| stats count by Codes

And it'll give you the output you are looking for.

Reply

javiergn
Super Champion
‎03-10-2016 05:29 AM

If there's an ID simply do it this way:

 yoursearch
| stats count by Codes, ID

If you want to display it exactly the way you mentioned above then this is probably closer:

yoursearch
| stats count by Codes, ID
| stats list(Codes) as Codes, list(count) as count by ID
0 Karma
Reply

kamaleshwar
Explorer
‎03-10-2016 07:40 AM

Thanks for your response! Actually it's not working. It's simply showing a empty space.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...