Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Get column count as new column

keronedave
Explorer
‎06-13-2017 04:14 AM

I have three columns from a search query. I would like to count the items in one column and display it next to the other two columns. EG

Column A Column B Column C (count of columnB)
ip add 1 vuln1 4
vuln2
vuln3
vuln4

ip add 2 vuln1 2
vuln2

etc.

query:
.. | transaction ipadd |table ipadd, vuln

All help highly appreciated.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-13-2017 05:01 AM

Like this:

 YourBaseSearchHere
| eventstats dc(FieldNameToCountValuesOfHere) BY Other Field Names Here But Not The Field Name In the dc()

View solution in original post

Reply
Solved! Jump to solution

msmithgsky
New Member
‎07-08-2019 07:54 AM

What if you wanted to list the vuln columns and a total number at the end of each row, not summarize the values on the vuln column but count the number of vuln columns. Seems addtotals only allows for sum and not a count.

ipadd vuln1 vlun2 vuln3...... total columns

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-13-2017 05:01 AM

Like this:

 YourBaseSearchHere
| eventstats dc(FieldNameToCountValuesOfHere) BY Other Field Names Here But Not The Field Name In the dc()
Reply
Solved! Jump to solution

keronedave
Explorer
‎06-13-2017 07:52 AM

Hi Woodcock,

Thanks for your response,

Your solution worked a treat!!!. I did amend it a bit.

basesearch
| transaction ipadd
| eventstats dc(columnB) as columnC by ipadd | table columnA, columnB, columnC
0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-08-2019 09:37 AM

Great! Now get rid of that nasty transaction. It will cause you no end of trouble. There are some good hints in other answers.

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎06-13-2017 04:30 AM

You can do this though stats instead of transaction if ipadd is the only key for correlation

 <YourBaseSearch>
| stats values(vuln) as vuln dc(vuln) as VulnCount by ipadd

You do not need transaction

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-13-2017 04:30 AM

Hi keronedave,
try something like this:

your_search 
| transaction ipadd 
| stats values(ColumnB) AS ColumnB values(ColumnC) AS ColumnC count by ColumnA 
| rename count AS Column D

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

keronedave
Explorer
‎06-13-2017 07:46 AM

Hi Giuseppe,
Thanks for your response
Your query counts by the ipadd field giving a result of one. The columnC is hypothetical at the moment. It is what am looking to add. I tried the query as is and the result was columnC was always 1 which is less than the sum of values in columnB

This edited query gives a false result (higher count than what columnB has)

my search
| transaction ipadd
| stats values(ColumnB) AS ColumnB count by ColumnA
| rename count AS Column D

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...