Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I split the values in the stats table. I have used in combination of stats Values() count() by host

nawazns5038
Builder
‎02-07-2017 10:58 PM

alt textindex=* | stats values(source),values(sourcetype),count(sourcetype) by host ....query i used

host values(source) values(sourcetype) count(sourcetype)
xyz WinAuthentication_Security.log test 54971
sysmonitor.log test2

The value 54971 is the combined value of all both the sourceype . I want that total to be split accordingly. something like this:

host values(source) values(sourcetype) count(sourcetype)
xyz WinAuthentication_Security.log test 4000
sysmonitor.log test2 1971

Can you please suggest.

Tags (2)
Preview file
37 KB
0 Karma
Reply

lguinn2
Legend
‎02-08-2017 05:56 AM

You could do this

index=* 
| stats values(source) as source count by host sourcetype

If that is not the format that you want, then you could do something like this:

index=* 
| stats values(source) as source count by host sourcetype
| stats values(source) as source list(sourcetype) as sourcetype list(count) as totals_by_sourcetype by host
Reply

nawazns5038
Builder
‎02-08-2017 11:57 AM

Hi lguinn ,

Thanks for the query. I want the count values to be split in the individual row rather than mixing everything into single row.

I want to see the individual count of the sourcetype for the respective row.

0 Karma
Reply

lguinn2
Legend
‎02-08-2017 12:17 PM

I don't think I understand your comment. The first search will split the counts by sourcetype; I think that is what you asked for. But maybe you want this:

index=* 
 | stats count by host sourcetype source

In which case, the following will be at least 10x faster:

| tstats count where index=* by host sourcetype source
0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...