Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Get column count as new column

keronedave
Explorer
‎06-13-2017 04:14 AM

I have three columns from a search query. I would like to count the items in one column and display it next to the other two columns. EG

Column A Column B Column C (count of columnB)
ip add 1 vuln1 4
vuln2
vuln3
vuln4

ip add 2 vuln1 2
vuln2

etc.

query:
.. | transaction ipadd |table ipadd, vuln

All help highly appreciated.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-13-2017 05:01 AM

Like this:

 YourBaseSearchHere
| eventstats dc(FieldNameToCountValuesOfHere) BY Other Field Names Here But Not The Field Name In the dc()

View solution in original post

Reply
Solved! Jump to solution

msmithgsky
New Member
‎07-08-2019 07:54 AM

What if you wanted to list the vuln columns and a total number at the end of each row, not summarize the values on the vuln column but count the number of vuln columns. Seems addtotals only allows for sum and not a count.

ipadd vuln1 vlun2 vuln3...... total columns

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-13-2017 05:01 AM

Like this:

 YourBaseSearchHere
| eventstats dc(FieldNameToCountValuesOfHere) BY Other Field Names Here But Not The Field Name In the dc()
Reply
Solved! Jump to solution

keronedave
Explorer
‎06-13-2017 07:52 AM

Hi Woodcock,

Thanks for your response,

Your solution worked a treat!!!. I did amend it a bit.

basesearch
| transaction ipadd
| eventstats dc(columnB) as columnC by ipadd | table columnA, columnB, columnC
0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-08-2019 09:37 AM

Great! Now get rid of that nasty transaction. It will cause you no end of trouble. There are some good hints in other answers.

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎06-13-2017 04:30 AM

You can do this though stats instead of transaction if ipadd is the only key for correlation

 <YourBaseSearch>
| stats values(vuln) as vuln dc(vuln) as VulnCount by ipadd

You do not need transaction

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-13-2017 04:30 AM

Hi keronedave,
try something like this:

your_search 
| transaction ipadd 
| stats values(ColumnB) AS ColumnB values(ColumnC) AS ColumnC count by ColumnA 
| rename count AS Column D

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

keronedave
Explorer
‎06-13-2017 07:46 AM

Hi Giuseppe,
Thanks for your response
Your query counts by the ipadd field giving a result of one. The columnC is hypothetical at the moment. It is what am looking to add. I tried the query as is and the result was columnC was always 1 which is less than the sum of values in columnB

This edited query gives a false result (higher count than what columnB has)

my search
| transaction ipadd
| stats values(ColumnB) AS ColumnB count by ColumnA
| rename count AS Column D

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top