Splunk Search

How do I edit my search to output unique values per host?

prakash007
Builder

Any help would be much appreciated here..

Here's my search:

index=main host=host1* source=*server.log*  "exception" |  stats count, values(instance) by host

I'm getting this output:

host    count   values(instance)
host1   1073     ins1
                 ins2
                 ins3
host2   1021     ins2
                 ins3

I'm looking for output with unique values for each instance, your help would be appreciated:

host    count   values(instance)
host1   1000     ins1
        70       ins2
        3        ins3
host2   1000     ins2
        21       ins3
0 Karma
1 Solution

jedatt01
Builder

The reason you are only getting a single count is because of your by clause. It will only show the total count for each host. To accomplish what you want you need run stats on your data twice.

Index=main host=host1* source=server.log "exception" | stats count by host instance | stats list(count) list(instance) by host

View solution in original post

0 Karma

jedatt01
Builder

The reason you are only getting a single count is because of your by clause. It will only show the total count for each host. To accomplish what you want you need run stats on your data twice.

Index=main host=host1* source=server.log "exception" | stats count by host instance | stats list(count) list(instance) by host

0 Karma

prakash007
Builder

I got the expected output. Thanks much jedatt01.

0 Karma

jedatt01
Builder

mcnamara, plz vote up my answer so when people search they know that this answer did indeed work for you.

0 Karma
Get Updates on the Splunk Community!

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...