Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How do I get row number grouped by column?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can add an absolute row number to my search results with
streamstats count as row
However, I would like the row count to group by other columns. So in the example below, the row number groups by COL_A - each time the value of COL_A changes, the row number (ROW column) resets to 1 again
ROW | COL_A | COL_B
---------------------
1 | ABC | 123
2 | ABC | 456
3 | ABC | 789
1 | DEF | 123
2 | DEF | 456
1 | GHI | 789
Any ideas?
Thanks in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
index="the_index" earliest=-7month@month latest=@month | bucket _time span=1month | stats count by custName _time | table custName _time count | streamstats count as row by custName| fields row *
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
index="the_index" earliest=-7month@month latest=@month | bucket _time span=1month | stats count by custName _time | table custName _time count | streamstats count as row by custName| fields row *
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
YOu are almost there. Just add a "by COL_A" in you streamstats command.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually, worked it out. the "by" clause goes after the "as" clause, which is not like usual Splunk syntax. I would have expected an error rather than an empty column. Anyway, thanks for the help. For clarity, the correct search is:
index="the_index" earliest=-7month@month latest=@month | bucket _time span=1month | stats count by custName _time | table custName _time count | streamstats as row count by custName | fields row *
Not sure how to mark your answer as correct and give you points if you only gave it in a comment rather than as an answer, but thanks again!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Streamstats works for me if I don't have a "by" clause, but as soon as I add the "by", the column has no values. My search is trying to create a set of row numbers per custName, with the count column being the number of records for that customer in the month:
index="the_index" earliest=-7month@month latest=@month | bucket _time span=1month | stats count by custName _time | table custName _time count | streamstats count by custName as row | fields row *
What stupid mistake am I making?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
