Solved: How do you use a count without a parameter?

jkrobbins · ‎10-31-2018

Most of the examples I've seen (still learning) use count like so:

| stats count(src_ip) as IP

but I occasionally find an example like this:

| stats count

or

| stats count as IP

Why and when would you use count without a field name? How does it even work, that is, how does it know what field to count?

I've searched the documentation and can't find any explanation for the different formats.

FrankVl · ‎10-31-2018

A count without a field name specified, simply counts the total number of events. count(field1) counts the number of events that have field1 populated. So if every event contains field1, count and count(field1) will give the same result. But if some of your events don't contain field1, the two methods will give different results.

View solution in original post

FrankVl · ‎10-31-2018

A count without a field name specified, simply counts the total number of events. count(field1) counts the number of events that have field1 populated. So if every event contains field1, count and count(field1) will give the same result. But if some of your events don't contain field1, the two methods will give different results.

jkrobbins · ‎10-31-2018

Thank you. That makes perfect sense. I should have figured that out.

How do you use a count without a parameter?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

New in Observability Cloud - Explicit Bucket Histograms