Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How do you count multiple fields with the stats count command?

Spiere
Path Finder
‎01-18-2016 05:54 AM

Hey guys,

Question for you. I have a query where I am searching for multiple field names inside of the query - sourcetype=testing PhpFatal="PHP Fatal error" OR DrupalPHPFatal="Error: PHP FATAL Error" OR AccessDenied="Access Denied" OR PageNotFound="page not found" is it possible to use stats count in order to count up each of the fields?

Something like sourcetype=testing PhpFatal="PHP Fatal error" OR DrupalPHPFatal="Error: PHP FATAL Error" OR AccessDenied="Access Denied" OR PageNotFound="page not found" | stats count by PhpFatal, DrupalPHPFatal, AccessDenied, PageNotFound

Is this possible?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jeffland
SplunkTrust
SplunkTrust
‎01-18-2016 06:13 AM

Sure! But it depends on how your events look, i.e. if one event can contain more than one of your fields or whether they are mutually exclusive in one event. If one event can only ever contain one of those fields, you can use this command:

sourcetype=testing PhpFatal="PHP Fatal error" OR DrupalPHPFatal="Error: PHP FATAL Error" OR AccessDenied="Access Denied" OR PageNotFound="page not found"
| eval message=coalesce(PhpFatal, DrupalPHPFatal, AccessDenied, PageNotFound)
| stats count by message

The first command will create a new field named "message", and depending on which of the other fields the event contains it will use the data from that field as its content.

If your events can contain more than one of the initial fields, you can do this:

sourcetype=testing PhpFatal="PHP Fatal error" OR DrupalPHPFatal="Error: PHP FATAL Error" OR AccessDenied="Access Denied" OR PageNotFound="page not found"
| eval helper=PhpFatal.";".DrupalPHPFatal.";".AccessDenied.";".PageNotFound
| makemv delim=";" helper
| stats count by helper

The eval command will again create a new field, "helper", which is just a concatenation of all the other fields delimited by ;. The next command creates a multivalue field based on the delimiter, which prepares the field for counting by the stats command.

Keep in mind that the latter method will produce overlapping counts, i.e. if you have 20 original events and 10 of them have two of your fields, the sum of your stats will show 30.

View solution in original post

Reply
Solved! Jump to solution

gyslainlatsa
Motivator
‎01-18-2016 06:22 AM

hi Spiere,

it is not possible, try looks the description at the use of the command stats: Each time you invoke the stats command, you can use more than one function. However, you can only use one by clause.

For mor informations, follow this link:

docs.splunk.com/Documentation/Splunk/latest/SearchReference/Stats

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-18-2016 06:32 AM

The OP's suggested stats command uses a single by clause so it is syntactically correct.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution
Solution

jeffland
SplunkTrust
SplunkTrust
‎01-18-2016 06:13 AM

Sure! But it depends on how your events look, i.e. if one event can contain more than one of your fields or whether they are mutually exclusive in one event. If one event can only ever contain one of those fields, you can use this command:

sourcetype=testing PhpFatal="PHP Fatal error" OR DrupalPHPFatal="Error: PHP FATAL Error" OR AccessDenied="Access Denied" OR PageNotFound="page not found"
| eval message=coalesce(PhpFatal, DrupalPHPFatal, AccessDenied, PageNotFound)
| stats count by message

The first command will create a new field named "message", and depending on which of the other fields the event contains it will use the data from that field as its content.

If your events can contain more than one of the initial fields, you can do this:

sourcetype=testing PhpFatal="PHP Fatal error" OR DrupalPHPFatal="Error: PHP FATAL Error" OR AccessDenied="Access Denied" OR PageNotFound="page not found"
| eval helper=PhpFatal.";".DrupalPHPFatal.";".AccessDenied.";".PageNotFound
| makemv delim=";" helper
| stats count by helper

The eval command will again create a new field, "helper", which is just a concatenation of all the other fields delimited by ;. The next command creates a multivalue field based on the delimiter, which prepares the field for counting by the stats command.

Keep in mind that the latter method will produce overlapping counts, i.e. if you have 20 original events and 10 of them have two of your fields, the sum of your stats will show 30.

Reply
Solved! Jump to solution

Spiere
Path Finder
‎01-18-2016 06:34 AM

thanks! The first command worked well for me since they were all separate fields.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Splunk Developer Day was packed with product and platform updates for developers building in the AI ...