Splunk Search
Highlighted

How to add a new column in my chart with a new event count after using the dedup command?

Path Finder

I have a search like this:

search| stats count by errortype

which is quite simple and returns:

errortype   count
1600         45
1234         60

Now I want to add in same chart a new column using the dedup command (that I already have and works), but filters a new result with less logs count. I would like to have something like:

errortype count newcount

How can I do it?

0 Karma
Highlighted

Re: How to add a new column in my chart with a new event count after using the dedup command?

Legend

You could either do a | stats count dc(field) as distinct by errortype or use appendcols like this

.. | stats count by errortype | appendcols [ search ... | dedup field | stats count as distinct by errortype  ]

View solution in original post

Highlighted

Re: How to add a new column in my chart with a new event count after using the dedup command?

Path Finder

thanks budy, appendcols worked perfectly

0 Karma
Highlighted

Re: How to add a new column in my chart with a new event count after using the dedup command?

Community Manager
Community Manager

@guillecasco Glad you found your answer through @sundareshr !

Since it has a working solution, don't forget to resolve the question by clicking "Accept" directly below sundareshr's post.

0 Karma