Solved: Re: How can I count values by a subgroup?

yk010123 · ‎04-12-2022

I have the following data :

Service	Message
Service1	Hello world
Service2	Another message
Service1	Hello world
Service1	Some other message

How can I write a query such that the final output looks like :

Service : Unique message : count

For example :

Service1 : Hello World : 2

Service1:Some other message : 1

Service2: Some other message

VatsalJagani · ‎04-12-2022

Try:

<your current search>
| stats count by Service, Message

I hope this helps!!!

View solution in original post

kamlesh_vaghela · ‎04-12-2022

@yk010123

Add custom field in @VatsalJagani search to get values in desired format.

YOUR_SEARCH
| stats count by Service Message
| eval custom_field=Service.":".Message.":".count

My Sample Search :

| makeresults | eval _raw="Service	Message
Service1	Hello world
Service2	Another message
Service1	Hello world
Service1	Some other message" | multikv forceheader=1
| table Service	Message
| rename comment as "Upto now is for sample data only"
| stats count by Service Message
| eval custom_field=Service.":".Message.":".count

Thanks
KV

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

VatsalJagani · ‎04-12-2022

Try:

<your current search>
| stats count by Service, Message

I hope this helps!!!

How can I count values by a subgroup?

count

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!