Solved: Re: How can I count values by a subgroup?

yk010123 · ‎04-12-2022

I have the following data :

Service	Message
Service1	Hello world
Service2	Another message
Service1	Hello world
Service1	Some other message

How can I write a query such that the final output looks like :

Service : Unique message : count

For example :

Service1 : Hello World : 2

Service1:Some other message : 1

Service2: Some other message

VatsalJagani · ‎04-12-2022

Try:

<your current search>
| stats count by Service, Message

I hope this helps!!!

View solution in original post

kamlesh_vaghela · ‎04-12-2022

@yk010123

Add custom field in @VatsalJagani search to get values in desired format.

YOUR_SEARCH
| stats count by Service Message
| eval custom_field=Service.":".Message.":".count

My Sample Search :

| makeresults | eval _raw="Service	Message
Service1	Hello world
Service2	Another message
Service1	Hello world
Service1	Some other message" | multikv forceheader=1
| table Service	Message
| rename comment as "Upto now is for sample data only"
| stats count by Service Message
| eval custom_field=Service.":".Message.":".count

Thanks
KV

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

VatsalJagani · ‎04-12-2022

Try:

<your current search>
| stats count by Service, Message

I hope this helps!!!

How can I count values by a subgroup?

count

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation